|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�root�root�networkscan/9600�
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
root�root�networkscan/9600
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 28,
"payload_entropy": 3.624518654958899,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "457ab18c8fd02f0f3035a058670c8ebc",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"request_sample": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"payload_snippet": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"evidence": {
"request_sample": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"payload_snippet": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7bc41845f7f115bc916a0d97c73a1345e815193e",
"protocol_details": {
"payload_preview": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "rootrootnetworkscan\/9600",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000root\u0000root\u0000networkscan\/9600\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "rootrootnetworkscan\/9600",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
ls
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 4,
"payload_entropy": 2,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b5e91483d350b5a84c2bb3a7a72950d5",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "ls\r\n",
"request_sample": "ls\r\n",
"payload_snippet": "ls",
"evidence": {
"request_sample": "ls\r\n",
"payload_snippet": "ls",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bb01707121bae723042d19f4805b6c8ca85eee1e",
"protocol_details": {
"payload_preview": "ls",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "ls",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "ls",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "ls",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
� ���� �
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 1.5487949406953985,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3fb069b93c25c14f7ee1921156534d75",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"request_sample": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"payload_snippet": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"evidence": {
"request_sample": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"payload_snippet": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f2d8a53f387d25a16795bc869ca7afe7ddf26e31",
"protocol_details": {
"payload_preview": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\f\u0000\u0000\u0000\u0000\r\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Protocole wire MongoDB
mongodb wire protocol · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
���� ���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����
���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Requête brute (extrait)
���� ���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-driver��version�����1.17.4���os�.����type�����darwin��architecture�����arm64���platform� ���go1.26.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 231,
"payload_entropy": 4.369460772401425,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dc2ec784f9a815f823c3fd671e6643654e6864ac",
"event_fingerprint": "c4ffac262af74aac6212858329eccfdbb04aa9c9",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1fe91dd7e3b6f00d70a2331e37a420ac",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 38
},
"payload_snippet": "\ufffd\u0000\u0000\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"evidence": {
"request_sample": "\ufffd\u0000\u0000\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d76116f8e3aa54cf6f397ef5b20023f91debce92",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\r\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_mongodb_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
dnp3 probe
dnp3 probe · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�d������6L�d������ގ�d���������d������wF�d���������d�������R�d�������X�d������\��d���������d�� ����{�d�� ����q�d�� ���X��d�� ���
Pourquoi cette classification : Type « dnp3_probe » (signaux protocolaires) · confiance 51%
Confiance classification
51%
Risque capteur
Faible
· 33
Confiance : Confiance 51 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0794
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Sigma DNP3 link
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
�d������6L�d������ގ�d���������d������wF�d���������d�������R�d�������X�d������\��d���������d�� ����{�d��
����q�d������X��d���
Requête brute (extrait)
�d������6L�d������ގ�d���������d������wF�d���������d�������R�d�������X�d������\��d���������d�� ����{�d�� ����q�d�� ���X��d�� ���2e�d�� ���ڧ�d���������d������so�d���������d�������)�d�������#�d������P��d������:7�d���������d���������d������{=�d������>��d���
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1010,
"payload_entropy": 4.3443211035276414,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 33,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%",
"confidence": 0.51,
"classification_confidence": 0.51,
"precision_score": 60,
"precision_signals": [
"pat-0794"
],
"kb_rule_ids": [
"pat-0794"
],
"matched_patterns": [
"pat-0794",
"pat-0348",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"Sigma DNP3 link",
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0794",
"pat-0348",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 51,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7d3587032b33d30b8978ddc3a10bd429",
"path_pattern_hash": "859b07b9d78548343d57aca7faf5fc6a"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 33
},
"payload_snippet": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u00002e\u0005d\u0005\ufffd\r\u0000\u0000\u0000\u06a7\u0005d\u0005\ufffd\u000e\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u000f\u0000\u0000\u0000so\u0005d\u0005\ufffd\u0010\u0000\u0000\u0000\u0011\ufffd\u0005d\u0005\ufffd\u0011\u0000\u0000\u0000\ufffd)\u0005d\u0005\ufffd\u0012\u0000\u0000\u0000\ufffd#\u0005d\u0005\ufffd\u0013\u0000\u0000\u0000P\ufffd\u0005d\u0005\ufffd\u0014\u0000\u0000\u0000:7\u0005d\u0005\ufffd\u0015\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0016\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0017\u0000\u0000\u0000{=\u0005d\u0005\ufffd\u0018\u0000\u0000\u0000>\u001e\u0005d\u0005\ufffd\u0019\u0000",
"payload_snippet": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000",
"classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ab5d1d3f36318e65ea8353037a243c402d6bd1f",
"protocol_details": {
"payload_preview": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "d\ufffd6Ld\ufffd\u078ed\ufffd\ufffd\ufffdd\ufffdwFd\ufffd\ufffdd\ufffd\ufffdRd\ufffd\ufffdXd\ufffd\\\ufffdd\ufffd\ufffdd\ufffd\t\ufffd{d\ufffd\n\ufffdqd\ufffdX\ufffdd\ufffd",
"attack_vector": "dnp3 probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 51 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%",
"classification_reason_label_fr": "Type \u00ab dnp3_probe \u00bb (signaux protocolaires) \u00b7 confiance 51%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 51,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0794"
],
"tags_summary_labels_fr": [
"pat-0794"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0005d\u0005\ufffd\u0000\u0000\u0000\u00006L\u0005d\u0005\ufffd\u0001\u0000\u0000\u0000\u078e\u0005d\u0005\ufffd\u0002\u0000\u0000\u0000\ufffd\ufffd\u0005d\u0005\ufffd\u0003\u0000\u0000\u0000wF\u0005d\u0005\ufffd\u0004\u0000\u0000\u0000\u001d\ufffd\u0005d\u0005\ufffd\u0005\u0000\u0000\u0000\ufffdR\u0005d\u0005\ufffd\u0006\u0000\u0000\u0000\ufffdX\u0005d\u0005\ufffd\u0007\u0000\u0000\u0000\\\ufffd\u0005d\u0005\ufffd\b\u0000\u0000\u0000\u0019\ufffd\u0005d\u0005\ufffd\t\u0000\u0000\u0000\ufffd{\u0005d\u0005\ufffd\n\u0000\u0000\u0000\ufffdq\u0005d\u0005\ufffd\u000b\u0000\u0000\u0000X\ufffd\u0005d\u0005\ufffd\f\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "dnp3 probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "d\ufffd6Ld\ufffd\u078ed\ufffd\ufffd\ufffdd\ufffdwFd\ufffd\ufffdd\ufffd\ufffdRd\ufffd\ufffdXd\ufffd\\\ufffdd\ufffd\ufffdd\ufffd\t\ufffd{d\ufffd\n\ufffdqd\ufffdX\ufffdd\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 51 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 51 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"behavior_alert_count": 2,
"behavior_priority": 72
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
��������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0532
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 1.2987949406953985,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0532"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "81c925d11c32560fcec7a39ad0c9bd41",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"request_sample": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"payload_snippet": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"evidence": {
"request_sample": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"payload_snippet": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "579435723a8586a1d2a16c267497b85a68d7f727",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0532"
],
"tags_summary_labels_fr": [
"pat-0532"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u0000\u0000\u0000\u0002\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde OPC-UA
opcua probe · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
HELF9���������������������������opc.tcp://62.3.50.33:9100
Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 47%
Confiance classification
47%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 47 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0626
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
OPC UA HEL
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
HELF9���������������������������opc.tcp://62.3.50.33:9100
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 57,
"payload_entropy": 3.488727371807767,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"confidence": 0.47,
"classification_confidence": 0.47,
"precision_score": 56,
"precision_signals": [
"pat-0626"
],
"kb_rule_ids": [
"pat-0626"
],
"matched_patterns": [
"pat-0103",
"pat-0626",
"pat-0554"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"OPC UA HEL",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0103",
"pat-0626",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 47,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ecc17dea29739bf6adf6f5464c6c1f67",
"path_pattern_hash": "9665a326f7d8f70f1661dab78807b951"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"request_sample": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"payload_snippet": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"evidence": {
"request_sample": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"payload_snippet": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4c8463de67244d1074e9fbe3e1f2798caefe08cf",
"protocol_details": {
"payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "HELF9\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/62.3.50.33:9100",
"attack_vector": "opcua probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"classification_reason_label_fr": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 47,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0626"
],
"tags_summary_labels_fr": [
"pat-0626"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "HELF9\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0019\u0000\u0000\u0000opc.tcp:\/\/62.3.50.33:9100",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "opcua probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "HELF9\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/62.3.50.33:9100",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
l� ���������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0768
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 12,
"payload_entropy": 0.8166890883150209,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0768"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad33d13d6bc3bd05c9957f130811a989",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5cd1854115834ba6609012a1b952fcc6d1e986f",
"protocol_details": {
"payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "l",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0768"
],
"tags_summary_labels_fr": [
"pat-0768"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "l",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
/00ID01
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
/00ID01
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b1d51b7b57d0e8ab6f7051937f849133",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\/00ID01\r",
"request_sample": "\/00ID01\r",
"payload_snippet": "\/00ID01",
"evidence": {
"request_sample": "\/00ID01\r",
"payload_snippet": "\/00ID01",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "69560e57df2e1a4bf77f35de1527ff133606547b",
"protocol_details": {
"payload_preview": "\/00ID01",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\/00ID01",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\/00ID01",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\/00ID01",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
��������������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0577
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 14,
"payload_entropy": 0.9463729359854419,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0577"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "cbe24b60645a06f24f08a625fab65652",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "940d6ad1036e26142b1ffab2b13f7eb6275fafda",
"protocol_details": {
"payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0577"
],
"tags_summary_labels_fr": [
"pat-0577"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\u0000\u0000\u0001\u0000\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde IEC 104 (SCADA)
iec104 probe · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
h�����
Pourquoi cette classification : Type « iec104_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 33
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0564
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
IEC104 STARTDT act
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 6,
"payload_entropy": 1.792481250360578,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 33,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0564"
],
"kb_rule_ids": [
"pat-0564"
],
"matched_patterns": [
"pat-0564",
"pat-0554"
],
"matched_pattern_names": [
"IEC104 STARTDT act",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0564",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "92933e47b8e6d55397d8a0396a425791",
"path_pattern_hash": "09bd81a4aaa94733fb840e5e256406fa"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 33
},
"payload_preview": "h\u0004\u0007\u0000\u0000\u0000",
"request_sample": "h\u0004\u0007\u0000\u0000\u0000",
"payload_snippet": "h\u0004\u0007\u0000\u0000\u0000",
"evidence": {
"request_sample": "h\u0004\u0007\u0000\u0000\u0000",
"payload_snippet": "h\u0004\u0007\u0000\u0000\u0000",
"classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe",
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e2a437ea34a3b1c2be0ec325e74a7a6a84d76efa",
"protocol_details": {
"payload_preview": "h\u0004\u0007\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "h",
"attack_vector": "iec104 probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab iec104_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0564"
],
"tags_summary_labels_fr": [
"pat-0564"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "h\u0004\u0007\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "iec104 probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "h",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Protocole wire MongoDB
mongodb wire protocol · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Requête brute (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-driver��version�����1.17.4���os�.����type�����darwin��architecture�����arm64���platform� ���go1.26.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 231,
"payload_entropy": 4.355412666350185,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dc2ec784f9a815f823c3fd671e6643654e6864ac",
"event_fingerprint": "c4ffac262af74aac6212858329eccfdbb04aa9c9",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "afea43ef180701b4e2c72f9d598bc610",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 38
},
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"evidence": {
"request_sample": "\ufffd\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "32e5d70b4b8f7b14f34b1ca2fc31c3d4e322aec1",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0007\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_mongodb_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde port 9100/TCP
port 9100 tcp · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Preuve honeypot — Sonde port 9100/TCP
Connexion détectée sur le port 9100 (TCP) du capteur simulé.
Service
JETDIRECT
Payload
�����+<M��������������������scanner���������������������������������������������������������networkscan�������������������������
Pourquoi cette classification : Type « port_9100_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����+<M��������������������scanner���������������������������������������������������������networkscan
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 156,
"payload_entropy": 1.4164089161695235,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d3abe8023609a7751e3166377efabae7",
"path_pattern_hash": "1144138c1a57dd6566e67742399f5aa8"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8fa25c2805369dbee8dc363b0faa1ccb09f88bef",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd+<Mscannernetworkscan",
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0001scanner\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000networkscan\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd+<Mscannernetworkscan",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
/01UG00
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
/01UG00
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ee1dc7ce8c714fcd1265f30e19b46ce8",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\/01UG00\r",
"request_sample": "\/01UG00\r",
"payload_snippet": "\/01UG00",
"evidence": {
"request_sample": "\/01UG00\r",
"payload_snippet": "\/01UG00",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3205eb1c59e511d25d6270fea7a3c534130926ed",
"protocol_details": {
"payload_preview": "\/01UG00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\/01UG00",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\/01UG00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\/01UG00",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
����@������������ͫ�gE#�����������������������������������������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0577
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����@������������ͫ�gE#�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 64,
"payload_entropy": 1.2940976117890584,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0577"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "81af7e946d4402d6c4e2bd7875d7bbc3",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd67396ad304527f5ee89cff22e1eefa47af0d23",
"protocol_details": {
"payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "@\ufffd\u036b\ufffdgE#",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0577"
],
"tags_summary_labels_fr": [
"pat-0577"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\u0000\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0003\u0000\ufffd\u036b\ufffdgE#\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@\ufffd\u036b\ufffdgE#",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde port 9100/TCP
port 9100 tcp · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Preuve honeypot — Sonde port 9100/TCP
Connexion détectée sur le port 9100 (TCP) du capteur simulé.
Service
JETDIRECT
Payload
���������������������
Pourquoi cette classification : Type « port_9100_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
S7 TPKT packet
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 22,
"payload_entropy": 2.9864147115206285,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0376",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"S7 TPKT packet",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0376",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "56ec831c21f793ddb087e59cc39c62fe",
"path_pattern_hash": "1144138c1a57dd6566e67742399f5aa8"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n",
"request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n",
"payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n",
"payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c302d24bf6d9fbb4fff93e68539ba60c18d58642",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde port 9100/TCP
port 9100 tcp · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Preuve honeypot — Sonde port 9100/TCP
Connexion détectée sur le port 9100 (TCP) du capteur simulé.
Service
JETDIRECT
Payload
���������������������
Pourquoi cette classification : Type « port_9100_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
S7 TPKT packet
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 22,
"payload_entropy": 2.9139770731827515,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0376",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"S7 TPKT packet",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0376",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f7037589effec294cf1e8529946582b1",
"path_pattern_hash": "1144138c1a57dd6566e67742399f5aa8"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001\n",
"request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001\n",
"payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001\n",
"payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "62f54ad12ec389138c24ad94a8f389011f6cdcdf",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0001\u0000\ufffd\u0002\u0000\u0001\ufffd\u0002\u0000\u0001\ufffd\u0001",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
/00UG01
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
/00UG01
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6bb91333d0ff664d924b6571c1a88ab2",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\/00UG01\r",
"request_sample": "\/00UG01\r",
"payload_snippet": "\/00UG01",
"evidence": {
"request_sample": "\/00UG01\r",
"payload_snippet": "\/00UG01",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6888c82b8431b01aecb200e5dfa1f14d6a2353cf",
"protocol_details": {
"payload_preview": "\/00UG01",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\/00UG01",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\/00UG01",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\/00UG01",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
c�����������������������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0768
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 24,
"payload_entropy": 0.24988229283318544,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0768"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d98b4c95d89a83c72b8b3ef5e42fc38c",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "046d5fe954241605691f465e310b5b1253832b1d",
"protocol_details": {
"payload_preview": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "c",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0768"
],
"tags_summary_labels_fr": [
"pat-0768"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "c\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "c",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde Memcached
memcached probe · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
stats
Pourquoi cette classification : Type « memcached_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0374
pat-0533
pat-0865
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Memcached stats
Memcached stats
ET Memcached UDP
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 7,
"payload_entropy": 2.2359263506290326,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 50,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 164,
"precision_signals": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"kb_rule_ids": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"matched_patterns": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"matched_pattern_names": [
"Memcached stats",
"Memcached stats",
"ET Memcached UDP"
],
"pattern_ids": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "11e629574907d3a9ced402e26f4a98df",
"path_pattern_hash": "549d36783f9e3c43618e715d78a40b3b"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 50
},
"payload_preview": "stats\r\n",
"request_sample": "stats\r\n",
"payload_snippet": "stats",
"evidence": {
"request_sample": "stats\r\n",
"payload_snippet": "stats",
"classification_reason": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c5cb7d27a18fa0e16d8fff265634891cbf1e24a3",
"protocol_details": {
"payload_preview": "stats",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "stats",
"attack_vector": "memcached probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via JETDIRECT",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"tags_summary_labels_fr": [
"pat-0374",
"pat-0533",
"pat-0865"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "stats",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "memcached probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "stats",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
���������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0768
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 9,
"payload_entropy": 1.224394445405986,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0768"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8130a0ba1a45f483d4b86b557eefe19d",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"request_sample": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2fdbad205bd668dcdd292df43b0f3f3f89469154",
"protocol_details": {
"payload_preview": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0768"
],
"tags_summary_labels_fr": [
"pat-0768"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0005\u0000\u0000\u0001\u0005\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
/01GF00
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
/01GF00
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "72c7aa3f4b4bc0a869ff7ae0f7d9c65f",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\/01GF00\r",
"request_sample": "\/01GF00\r",
"payload_snippet": "\/01GF00",
"evidence": {
"request_sample": "\/01GF00\r",
"payload_snippet": "\/01GF00",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7e43d45f7eeb5b1d0960d31dc5ec1b0652f531cf",
"protocol_details": {
"payload_preview": "\/01GF00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\/01GF00",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\/01GF00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\/01GF00",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
SSRF interne
ssrf internal · via JETDIRECT:9100 · (tentative d'exploit)
|
Faible
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
���������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI
Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54%
Confiance classification
54%
Risque capteur
Moyen
· 46
Confiance : Confiance 54 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
CRS-920350
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
Oracle TNS connect
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI
Requête brute (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CID=(PROGRAM=networkscan)(HOST=localhost)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=9100)))
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 229,
"payload_entropy": 4.943493156123714,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 80,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15
},
"risk_score": 46,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"confidence": 0.54,
"classification_confidence": 0.54,
"precision_score": 64,
"precision_signals": [
"CRS-920350"
],
"kb_rule_ids": [
"CRS-920350"
],
"matched_patterns": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Oracle TNS connect",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 46
},
"named_classification_skipped": false,
"classification_parent": "ssrf_attack",
"service_name": "jetdirect",
"risk_confidence_factor": 54,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1a35c3a47ffd0cf9cd60327830bb708d",
"path_pattern_hash": "2926fa5ba65a298fe7630f4e1d1dd6ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 46
},
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CID=(PROGRAM=networkscan)(HOST=localhost)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=9100)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CID=(PROGRAM=networkscan)(HOST=localhost)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=9100)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "65282685375a031abb72db5b0477fede343ea853",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"attack_vector": "ssrf internal \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 54 % \u2014 via JETDIRECT",
"confidence_pct": 54,
"confidence_breakdown": {
"waf": 8,
"classification": 80,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 46
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"CRS-920350"
],
"tags_summary_labels_fr": [
"CRS-920350"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "ssrf internal \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=NONEXISTENT_SVC_PROBE_XYZ)(CI",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�networkscan
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�networkscan
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 13,
"payload_entropy": 3.5465935642949384,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fa24e2ea0755ee07c26826db859cbad1",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\u0003networkscan\n",
"request_sample": "\u0003networkscan\n",
"payload_snippet": "\u0003networkscan",
"evidence": {
"request_sample": "\u0003networkscan\n",
"payload_snippet": "\u0003networkscan",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7fdbfc1aad446f31cd69066bd7a01174716eafb8",
"protocol_details": {
"payload_preview": "\u0003networkscan",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "networkscan",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003networkscan",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "networkscan",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Protocole wire MongoDB
mongodb wire protocol · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
���� ���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���� ���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Requête brute (extrait)
���� ���������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-driver��version�����1.17.4���os�.����type�����darwin��architecture�����arm64���platform� ���go1.26.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 231,
"payload_entropy": 4.360802763743417,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dc2ec784f9a815f823c3fd671e6643654e6864ac",
"event_fingerprint": "c4ffac262af74aac6212858329eccfdbb04aa9c9",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "77660a67de2a981fd3aff48c423da93b",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 38
},
"payload_snippet": "\ufffd\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"evidence": {
"request_sample": "\ufffd\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bed83e61c76f1fb044dc67c60dacf471cebd487c",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\t\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\t\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_mongodb_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde port 9100/TCP
port 9100 tcp · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Preuve honeypot — Sonde port 9100/TCP
Connexion détectée sur le port 9100 (TCP) du capteur simulé.
Service
JETDIRECT
Payload
��������������������������������������������������������������������������������������������������������������������������������
Pourquoi cette classification : Type « port_9100_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Mumble ping
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1537,
"payload_entropy": 0.007825717024736212,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0768",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Mumble ping",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0768",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b7812b6cee81237900f8087692e9d6df",
"path_pattern_hash": "1144138c1a57dd6566e67742399f5aa8"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "63429f5d887d4ae1b7497ca6fafa25c633f176df",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�I20100
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�I20100
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "39fea238df890c005706b34a9316349a",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\u0001I20100\n",
"request_sample": "\u0001I20100\n",
"payload_snippet": "\u0001I20100",
"evidence": {
"request_sample": "\u0001I20100\n",
"payload_snippet": "\u0001I20100",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "965584e076e546742156539f95400a300598b2b1",
"protocol_details": {
"payload_preview": "\u0001I20100",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "I20100",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0001I20100",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "I20100",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Protocole wire MongoDB
mongodb wire protocol · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
Mongo isMaster legacy
Mongo ismaster command
ET H.323 setup
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Requête brute (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-driver��version�����1.17.4���os�.����type�����darwin��architecture�����arm64���platform� ���go1.26.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 231,
"payload_entropy": 4.355412666350185,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dc2ec784f9a815f823c3fd671e6643654e6864ac",
"event_fingerprint": "c4ffac262af74aac6212858329eccfdbb04aa9c9",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0348",
"pat-0363",
"pat-0364",
"pat-0868",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"Mongo isMaster legacy",
"Mongo ismaster command",
"ET H.323 setup",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0363",
"pat-0364",
"pat-0868",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "35c9891bf4088a20a6c417ac96cca4b9",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 38
},
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"evidence": {
"request_sample": "\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fe8c49da54ccf6336b9ee33ecc9145d891899cfb",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_mongodb_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
M2 ������� ��{�'�
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
M2
������� ��{�'�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 17,
"payload_entropy": 3.6168746059562227,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dffda0b08a4e2cb49daf19bfa817a321",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"request_sample": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"payload_snippet": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"evidence": {
"request_sample": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"payload_snippet": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a3698af737048a7c98a803c1b1136e349c5197df",
"protocol_details": {
"payload_preview": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "M2\r\ufffd\t{\ufffd'\ufffd",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "M2\r\u0000\u0001\u0000\u0000\u0000\u0007\ufffd\t\u0005\u0002{\ufffd'\ufffd",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "M2\r\ufffd\t{\ufffd'\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�����������������������������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 29,
"payload_entropy": 2.2112607364322803,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d97ce8fcd995e33b6381798cd44b74da",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"request_sample": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"payload_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"evidence": {
"request_sample": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"payload_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1d524b4f80e8d0943d7f329de8de277519555f86",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u001d\u0001\u0004\ufffd\u0000\u0000\ufffd\ufffd\ufffd\u0001\u0001\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde SSH
Sonde SSH · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
net_ssh_probe
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
SSH-2.0-GoSSHScanner
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-GoSSHScanner
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 22,
"payload_entropy": 3.658993415253805,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 48,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "55692bb9a00d41d69829be49e6e6b128878b204c",
"event_fingerprint": "4ff66fb818a6d21f6172febd90b5fd5618b74c1a",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253"
],
"pattern_ids": [
"pat-0391"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f4ccad08e10e62a47cfa634d2aba613d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 48
},
"payload_preview": "SSH-2.0-GoSSHScanner\r\n",
"request_sample": "SSH-2.0-GoSSHScanner\r\n",
"payload_snippet": "SSH-2.0-GoSSHScanner",
"evidence": {
"request_sample": "SSH-2.0-GoSSHScanner\r\n",
"payload_snippet": "SSH-2.0-GoSSHScanner",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "22642312bcc9c3cc734f1862ff64ad779c5b2777",
"protocol_details": {
"payload_preview": "SSH-2.0-GoSSHScanner",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "SSH-2.0-GoSSHScanner",
"attack_vector": "Sonde SSH \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0391",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "SSH-2.0-GoSSHScanner",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "Sonde SSH \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-GoSSHScanner",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_ssh_probe",
"ssh_banner"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
GET /version HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /version HTTP/1.1
Host: 62.3.50.33:9100
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 103,
"payload_entropy": 4.93833090737226,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "01a3f5f1eb35708b186e1b6e90c5fa9921f2d2ab",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8958eb5f469a86484877069c727d440",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 24
},
"payload_preview": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5a72a6fb8812aabc2d8da722a71ab24aa668ba18",
"protocol_details": {
"payload_preview": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/version HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
������������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0577
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 12,
"payload_entropy": 1.188721875540867,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0577"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "21cce3dca414e160647e5c8ea055408e",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2bea506df0bd2d44f17ed282722a36e33607cdbb",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0577"
],
"tags_summary_labels_fr": [
"pat-0577"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0001\u0001\u0000\u001a\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
������������/�+D������3���3�H0���G%�Һ��u�7 (��6VTD�Itܖ̢���ܤZZ]2���7@��>����+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������/�+D������3���3�H0���G%�Һ��u�7 (��6VTD�Itܖ̢���ܤZZ]2���7@��>����+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
������������/�+D������3���3�H0���G%�Һ��u�7 (��6VTD�Itܖ̢���ܤZZ]2���7@��>����+�/�,�0̨̩� ��� �����������_� ��������������������������� ������������������� �������������������������2�����������������������������+��������3��������>�:Lb 3��Ltp�����ϴ�f����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1483,
"payload_entropy": 7.75706952190835,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dd226c2e43ee2c7c65e42694d40104a5",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\/\ufffd+D\u0017\u0010\ufffd\u0015\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\u0007\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd\u001f7@\u0013\ufffd>\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\/\ufffd+D\u0017\u0010\ufffd\u0015\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\u0007\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd\u001f7@\u0013\ufffd>\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd>\u0016:Lb\r3\ufffd\u0018Ltp\ufffd\ufffd\u001b\ufffd\ufffd\u03f4\ufffdf\u0003\ufffd\u001f\u001b",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\/\ufffd+D\u0017\u0010\ufffd\u0015\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\u0007\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd\u001f7@\u0013\ufffd>\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f831e717d3f54126def06cf167b89387a0be5057",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\/\ufffd+D\u0017\u0010\ufffd\u0015\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\u0007\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd\u001f7@\u0013\ufffd>\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\/\ufffd+D\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd7@\ufffd>\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\/\ufffd+D\u0017\u0010\ufffd\u0015\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\u0007\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd\u001f7@\u0013\ufffd>\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\/\ufffd+D\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd3\ufffdH0\ufffd\ufffd\ufffdG%\ufffd\u04ba\ufffdu\ufffd7 (\ufffd\ufffd6VTD\ufffdIt\u0716\u0322\ufffd\ufffd\ufffd\u0724ZZ]2\ufffd\ufffd7@\ufffd>\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
����j��0����������� ��0��y0w�����@�����0������� 0 ��testuser� � 62.3.50.33��0��������0���krbtgt� 62.3.50.33����20260618204924Z��
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�j��0�����������
��0��y0w�����@�����0��������0
��testuser���
62.3.50.33��0��������0���krbtgt�
62.3.50.33����20260618204924Z��
Requête brute (extrait)
�j��0����������� ��0��y0w�����@�����0������� 0 ��testuser� � 62.3.50.33��0��������0���krbtgt� 62.3.50.33����20260618204924Z������a�� 0 ���������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 147,
"payload_entropy": 5.448107887672219,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7c485031e5382e68b1c3ee177ce870ad",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006",
"request_sample": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006\u0002\u0004\u001b\ufffda\ufffd\ufffd\u000b0\t\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0017",
"payload_snippet": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006",
"evidence": {
"request_sample": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006\u0002\u0004\u001b\ufffda\ufffd\ufffd\u000b0\t\u0002\u0001\u0012\u0002\u0001\u0011\u0002\u0001\u0017",
"payload_snippet": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f016ea9c7affa625d8d8eacb96ae163ef046fb55",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\n\ufffd0\ufffdy0w\ufffd@\ufffd0\ufffd\ufffd0\ntestuser\ufffd\n62.3.50.33\ufffd0\ufffd\ufffd0krbtgt\n62.3.50.33\ufffd20260618204924Z\ufffd",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\u0003\u0002\u0001\u0005\ufffd\u0003\u0002\u0001\n\ufffd\u00020\u0000\ufffdy0w\ufffd\u0007\u0003\u0005\u0000@\u0000\u0000\u0010\ufffd\u00150\u0013\ufffd\u0003\u0002\u0001\u0001\ufffd\f0\n\u001b\btestuser\ufffd\f\u001b\n62.3.50.33\ufffd\u001f0\u001d\ufffd\u0003\u0002\u0001\u0002\ufffd\u00160\u0014\u001b\u0006krbtgt\u001b\n62.3.50.33\ufffd\u0011\u0018\u000f20260618204924Z\ufffd\u0006",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffdj\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd\n\ufffd0\ufffdy0w\ufffd@\ufffd0\ufffd\ufffd0\ntestuser\ufffd\n62.3.50.33\ufffd0\ufffd\ufffd0krbtgt\n62.3.50.33\ufffd20260618204924Z\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde port 9100/TCP
port 9100 tcp · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Preuve honeypot — Sonde port 9100/TCP
Connexion détectée sur le port 9100 (TCP) du capteur simulé.
Service
JETDIRECT
Payload
�� �����H�����������������������ᯀ4]�������+.�m�����]����������+�H`����
Pourquoi cette classification : Type « port_9100_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������H�����������������������ᯀ4]�������+.�m�����]����������+�H`�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 72,
"payload_entropy": 3.9288024275565268,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2dca894a09b600e3818fd3a40f58b5bb",
"path_pattern_hash": "1144138c1a57dd6566e67742399f5aa8"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_preview": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"request_sample": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"payload_snippet": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"payload_snippet": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "da20910b2acc56821af6a70c4a40992a023f48ca",
"protocol_details": {
"payload_preview": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "H\ufffd\ufffd\u1bc04]\ufffd\ufffd\ufffd\ufffd+.\ufffdm]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`",
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0005\u0000\u000b\u0003\u0010\u0000\u0000\u0000H\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffd\u0010\ufffd\u0010\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u1bc04]\ufffd\ufffd\u0011\ufffd\ufffd\b\u0000+.\ufffdm\u0003\u0000\u0000\u0000\u0004]\ufffd\ufffd\ufffd\u001c\ufffd\u0011\ufffd\ufffd\b\u0000+\u0010H`\u0002\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "H\ufffd\ufffd\u1bc04]\ufffd\ufffd\ufffd\ufffd+.\ufffdm]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+H`",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde HTTP smuggling
http smuggling probe · via JETDIRECT:9100 · (tentative d'exploit)
|
Faible
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
POST /wsman HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: networkscan Content-Length: 252 Content-Type: application/soap+xml;ch
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
CRS 941130
LFI Double-dot bypass
WinRM WS-Man
User-Agent
—
Règles WAF
—
Payload (extrait)
POST /wsman HTTP/1.1
Host: 62.3.50.33:9100
User-Agent: networkscan
Content-Length: 252
Content-Type: application/soap+xml;ch
Requête brute (extrait)
POST /wsman HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: networkscan Content-Length: 252 Content-Type: application/soap+xml;charset=UTF-8 Accept-Encoding: gzip <?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 418,
"payload_entropy": 5.312253605482131,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15
},
"risk_score": 52,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0284",
"pat-0103",
"pat-0526"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"CRS 941130",
"LFI Double-dot bypass",
"WinRM WS-Man"
],
"pattern_ids": [
"pat-0842",
"pat-0284",
"pat-0103",
"pat-0526"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d83baa8ad3d6549d5d4de097d20f2bc0",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 52
},
"payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"request_sample": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nAccept-Encoding: gzip\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap",
"payload_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"evidence": {
"request_sample": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;charset=UTF-8\r\nAccept-Encoding: gzip\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<s:Envelope xmlns:s=\"http:\/\/www.w3.org\/2003\/05\/soap",
"payload_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "00d2aa55e9db017e382440960f06b5a165ecf9d1",
"protocol_details": {
"payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"attack_vector": "http smuggling probe \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via JETDIRECT",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "http smuggling probe \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/wsman HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan\r\nContent-Length: 252\r\nContent-Type: application\/soap+xml;ch",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde HTTP smuggling
http smuggling probe · via JETDIRECT:9100 · (tentative d'exploit)
|
Faible
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
POST / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: networkscan-ipp Content-Length: 94 Content-Type: application/ipp Accept-E
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
Kafka ApiVersions key
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
POST / HTTP/1.1
Host: 62.3.50.33:9100
User-Agent: networkscan-ipp
Content-Length: 94
Content-Type: application/ipp
Accept-E
Requête brute (extrait)
POST / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: networkscan-ipp Content-Length: 94 Content-Type: application/ipp Accept-Encoding: gzip ��� �����G��attributes-charset��utf-8H��attributes-natural-language��en-usE� printer-uri��ipp�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 239,
"payload_entropy": 5.201010449937285,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15
},
"risk_score": 52,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0556",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"Kafka ApiVersions key",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0842",
"pat-0556",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6c3298003e12e77242d4896746c34b3c",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 52
},
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-Encoding: gzip\r\n\r\n\u0001\u0001\u0000\u000b\u0000\u0000\u0000\u0001\u0001G\u0000\u0012attributes-charset\u0000\u0005utf-8H\u0000\u001battributes-natural-language\u0000\u0005en-usE\u0000\u000bprinter-uri\u0000\u0003ipp\u0003",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"evidence": {
"request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-Encoding: gzip\r\n\r\n\u0001\u0001\u0000\u000b\u0000\u0000\u0000\u0001\u0001G\u0000\u0012attributes-charset\u0000\u0005utf-8H\u0000\u001battributes-natural-language\u0000\u0005en-usE\u0000\u000bprinter-uri\u0000\u0003ipp\u0003",
"payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f28ea7c1dd826a1042c56e616ce144a1d80072b2",
"protocol_details": {
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"attack_vector": "http smuggling probe \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via JETDIRECT",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "http smuggling probe \u00b7 via JETDIRECT:9100 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: networkscan-ipp\r\nContent-Length: 94\r\nContent-Type: application\/ipp\r\nAccept-E",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 6
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
���9�SMBr�������������������������������SMB 2.100��SMB 2.???�
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 6
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
9�SMBr�������������������������������SMB 2.100��SMB 2.???
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 61,
"payload_entropy": 3.067526085603591,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 6,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f3a79d06df74b9595fc2f33f2fff54b0",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 6
},
"payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"request_sample": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"payload_snippet": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"payload_snippet": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a73a2c09d398fd0452defdcab81bc8ebc6775483",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "9\ufffdSMBr\ufffd\ufffd\ufffdSMB 2.100SMB 2.???",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 6
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 6,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00009\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0016\u0000\u0002SMB 2.100\u0000\u0002SMB 2.???\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "9\ufffdSMBr\ufffd\ufffd\ufffdSMB 2.100SMB 2.???",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Protocole wire MongoDB
mongodb wire protocol · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Faible
· 38
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0363
pat-0364
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mongo isMaster legacy
Mongo ismaster command
NFS RPC mount
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-
Requête brute (extrait)
��������������������admin.$cmd��������������isMaster������helloOk���compression�������client������driver�3����name�����mongo-go-driver��version�����1.17.4���os�.����type�����darwin��architecture�����arm64���platform� ���go1.26.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 231,
"payload_entropy": 4.360802763743417,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 38,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dc2ec784f9a815f823c3fd671e6643654e6864ac",
"event_fingerprint": "c4ffac262af74aac6212858329eccfdbb04aa9c9",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0363",
"pat-0364"
],
"kb_rule_ids": [
"pat-0363",
"pat-0364"
],
"matched_patterns": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Mongo isMaster legacy",
"Mongo ismaster command",
"NFS RPC mount",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0363",
"pat-0364",
"pat-0532",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"named_classification_skipped": false,
"classification_parent": "mongodb_probe",
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4730cad5defa7a68a31d4046d0150bba",
"path_pattern_hash": "9060bd55aeb34075959b54fecab264ea"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 38
},
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"evidence": {
"request_sample": "\ufffd\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-driver\u0000\u0002version\u0000\u0007\u0000\u0000\u00001.17.4\u0000\u0000\u0003os\u0000.\u0000\u0000\u0000\u0002type\u0000\u0007\u0000\u0000\u0000darwin\u0000\u0002architecture\u0000\u0006\u0000\u0000\u0000arm64\u0000\u0000\u0002platform\u0000\t\u0000\u0000\u0000go1.26.1\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2a7536aee9f85009c8ac1f33f30edd388642a00a",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 38
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 38,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0363",
"pat-0364"
],
"tags_summary_labels_fr": [
"pat-0363",
"pat-0364"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_hello_probe",
"net_mongodb_probe"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
������������O���F�T��L��f�E�����xz�l0��T�8 � �Q�H����,.�7����|����~��]�6����+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������O���F�T��L��f�E�����xz�l0��T�8 � �Q�H����,.�7����|����~��]�6����+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
������������O���F�T��L��f�E�����xz�l0��T�8 � �Q�H����,.�7����|����~��]�6����+�/�,�0̨̩� ��� �����������_� ��������������������������� ������������������� �������������������������2�����������������������������+��������3��������1{Y*�ZZ���.Մ�b�t�W��G J
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1483,
"payload_entropy": 7.731469049183053,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "02f7ad9641207d26ea0dbbdeae5cb550",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\u0012\ufffdf\ufffdE\ufffd\ufffd\ufffd\u0013\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQ\u0011H\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]\u00016\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\u0012\ufffdf\ufffdE\ufffd\ufffd\ufffd\u0013\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQ\u0011H\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]\u00016\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd1{Y*\ufffdZZ\u0015\u000f\ufffd.\u0544\ufffdb\ufffdt\ufffdW\u0012\ufffdG\tJ",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\u0012\ufffdf\ufffdE\ufffd\ufffd\ufffd\u0013\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQ\u0011H\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]\u00016\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "039b1bda5d3108851fb68ecffd8958a81f0ecee5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\u0012\ufffdf\ufffdE\ufffd\ufffd\ufffd\u0013\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQ\u0011H\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]\u00016\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\ufffdf\ufffdE\ufffd\ufffd\ufffd\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQH\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]6\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\u0012\ufffdf\ufffdE\ufffd\ufffd\ufffd\u0013\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQ\u0011H\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]\u00016\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdO\ufffd\ufffd\ufffdF\ufffdT\ufffd\ufffdL\ufffdf\ufffdE\ufffd\ufffd\ufffd\ufffdxz\ufffdl0\ufffd\ufffdT\ufffd8 \ufffd\t\ufffdQH\ufffd\ufffd\ufffd\ufffd,.\ufffd7\ufffd\ufffd\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd]6\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
/01ID00
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
/01ID00
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "61f773eab0c68558b2e738208fa0680a",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "\/01ID00\r",
"request_sample": "\/01ID00\r",
"payload_snippet": "\/01ID00",
"evidence": {
"request_sample": "\/01ID00\r",
"payload_snippet": "\/01ID00",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b8083ea0290889efcf5d27020cc4fc672c79aca1",
"protocol_details": {
"payload_preview": "\/01ID00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\/01ID00",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\/01ID00",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\/01ID00",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�����������7�������/�|�|�Z�qm��VT:ғ�4��Z�� �V�y&�-�,��n����������fn�"����O����+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������7�������/�|�|�Z�qm��VT:ғ�4��Z�� �V�y&�-�,��n����������fn�"����O����+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
�����������7�������/�|�|�Z�qm��VT:ғ�4��Z�� �V�y&�-�,��n����������fn�"����O����+�/�,�0̨̩� ��� �����������_� ��������������������������� ������������������� �������������������������2�����������������������������+��������3��������?57���5�O��Y� �� �j+�`x�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1483,
"payload_entropy": 7.732600397307058,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "cb968bea3e4c0c6ae19a7438d92369a3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00037\ufffd\ufffd\u001d\u001a\ufffd\ufffd\u0017\/\ufffd|\u0014|\ufffdZ\ufffdqm\ufffd\ufffdVT:\u0493\u00044\u0014\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&\u001f-\u0000,\ufffd\u0000n\ufffd\u001b\u0010\u001b\u0017\ufffd\ufffd\u0018\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\u0017\ufffdO\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00037\ufffd\ufffd\u001d\u001a\ufffd\ufffd\u0017\/\ufffd|\u0014|\ufffdZ\ufffdqm\ufffd\ufffdVT:\u0493\u00044\u0014\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&\u001f-\u0000,\ufffd\u0000n\ufffd\u001b\u0010\u001b\u0017\ufffd\ufffd\u0018\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\u0017\ufffdO\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd?57\ufffd\ufffd\ufffd5\ufffdO\ufffd\u0014Y\ufffd\f\u0010\ufffd\t\ufffdj+\ufffd`x\u0016",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00037\ufffd\ufffd\u001d\u001a\ufffd\ufffd\u0017\/\ufffd|\u0014|\ufffdZ\ufffdqm\ufffd\ufffdVT:\u0493\u00044\u0014\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&\u001f-\u0000,\ufffd\u0000n\ufffd\u001b\u0010\u001b\u0017\ufffd\ufffd\u0018\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\u0017\ufffdO\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ba9b90fbe7dbe57b9ba2195b9fbd6372da7fdd6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00037\ufffd\ufffd\u001d\u001a\ufffd\ufffd\u0017\/\ufffd|\u0014|\ufffdZ\ufffdqm\ufffd\ufffdVT:\u0493\u00044\u0014\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&\u001f-\u0000,\ufffd\u0000n\ufffd\u001b\u0010\u001b\u0017\ufffd\ufffd\u0018\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\u0017\ufffdO\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd||\ufffdZ\ufffdqm\ufffd\ufffdVT:\u04934\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&-,\ufffdn\ufffd\ufffd\ufffd\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\ufffdO\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00037\ufffd\ufffd\u001d\u001a\ufffd\ufffd\u0017\/\ufffd|\u0014|\ufffdZ\ufffdqm\ufffd\ufffdVT:\u0493\u00044\u0014\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&\u001f-\u0000,\ufffd\u0000n\ufffd\u001b\u0010\u001b\u0017\ufffd\ufffd\u0018\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\u0017\ufffdO\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd7\ufffd\ufffd\ufffd\ufffd\/\ufffd||\ufffdZ\ufffdqm\ufffd\ufffdVT:\u04934\ufffdZ\ufffd\ufffd \ufffdV\ufffdy&-,\ufffdn\ufffd\ufffd\ufffd\ufffd\ufffdfn\ufffd\"\ufffd\ufffd\ufffdO\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�����������k( ���>�O�T�[��Ϝt���T�2��㯆IH ��.��2�� �����r�=���@�(N@���������+�/�,�0̨̩� ��� �����������_� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������k(����>�O�T�[��Ϝt���T�2��㯆IH ��.��2��
�����r�=���@�(N@���������+�/�,�0̨̩� ���
�����������_�����������������
Requête brute (extrait)
�����������k( ���>�O�T�[��Ϝt���T�2��㯆IH ��.��2�� �����r�=���@�(N@���������+�/�,�0̨̩� ��� �����������_� ��������������������������� ������������������� �������������������������2�����������������������������+��������3���������ꃚ�8��x�b������Ŵ{P�SD.
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1483,
"payload_entropy": 7.712007696816978,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "053fc4a5ca49e3ab3deb9ef3e290d6fa",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003k(\f\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\u0010\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd\u00002\ufffd\ufffd\r\ufffd\ufffd\u0013\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@\u0011(N@\ufffd\u0018\u0007\u000f\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003k(\f\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\u0010\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd\u00002\ufffd\ufffd\r\ufffd\ufffd\u0013\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@\u0011(N@\ufffd\u0018\u0007\u000f\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ua0da\ufffd8\ufffd\ufffdx\u0014b\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u0174{P\ufffdSD.",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003k(\f\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\u0010\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd\u00002\ufffd\ufffd\r\ufffd\ufffd\u0013\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@\u0011(N@\ufffd\u0018\u0007\u000f\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6e4eb0ffc3442841f05f2f6425fd12b37987a83e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003k(\f\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\u0010\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd\u00002\ufffd\ufffd\r\ufffd\ufffd\u0013\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@\u0011(N@\ufffd\u0018\u0007\u000f\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffdk(\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd2\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@(N@\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003k(\f\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\u0010\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd\u00002\ufffd\ufffd\r\ufffd\ufffd\u0013\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@\u0011(N@\ufffd\u0018\u0007\u000f\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005_\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdk(\ufffd\ufffd\ufffd>\ufffdO\ufffdT\ufffd[\ufffd\ufffd\u03dct\ufffd\ufffdT\ufffd2\ufffd\ufffd\u3bc6IH \ufffd\ufffd.\ufffd2\ufffd\ufffd\r\ufffd\ufffd\ufffd\ufffdr\ufffd=\ufffd\ufffd\ufffd@(N@\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd_\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "99a5882356b4d78fbb128d9a01d6cf13e652995b",
"protocol_details": {
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
^N��-�D��@�P1Q�-@ Z| C1�ay���> ��йv:E��Ü������u d k� V�V�9�sq
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
^N��-�D��@�P1Q�-@�
Z|
C1�ay���> ��йv:E��Ü������u d k�
V�V�9�sq
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 64,
"payload_entropy": 5.675704882778696,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7c81d8d95e935f1e9b1f03b48b4e6c9a",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"payload_preview": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"request_sample": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"payload_snippet": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"evidence": {
"request_sample": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"payload_snippet": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3cf8c95e2f2ef0c72c0f00067cb4e72503dd6352",
"protocol_details": {
"payload_preview": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "^N\ufffd-\ufffdD\ufffd@\ufffdP1Q-@\nZ|\rC1\ufffday\ufffd\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\ufffd\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 15,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "^N\u0019\ufffd-\ufffdD\u001e\ufffd@\ufffdP1Q\u0000-@\u000b\nZ|\rC1\ufffday\ufffd\u001f\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\u0019\ufffd\u0002\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "^N\ufffd-\ufffdD\ufffd@\ufffdP1Q-@\nZ|\rC1\ufffday\ufffd\ufffd>\t\ufffd\ufffd\u0439v:E\ufffd\ufffd\u00dc\ufffd\ufffd\ufffd\ufffdu\td\tk\ufffd\nV\ufffdV\ufffd9\ufffdsq",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4795e0086a35811ce41b66e6c41b383affce2a72",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "99a5882356b4d78fbb128d9a01d6cf13e652995b",
"protocol_details": {
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Botnet Mozi
mozi pattern · via JETDIRECT:9100 · (commande & contrôle)
|
Élevée
|
Faible · 37
|
|
Étape
Commande & contrôle
Chaîne
Commande & contrôle
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0011
TA0011
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
GET / HTTP/1.1 Host: 62.3.50.33 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) C
Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 37
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0011
Tactiques MITRE
TA0011
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) C
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 184,
"payload_entropy": 5.375635561415027,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 82,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 37,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b362c8436efcbf6e793e749c5f77f26c49f6f6d9",
"event_fingerprint": "4eb4d5d58ec22bdf2146f812070ea6ca88d25a86",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 37
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "39af03a5c2d96a346d228183e2226a52",
"path_pattern_hash": "762d384fab941f6d0c2239f19994f30e"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 37
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "c2",
"mitre_tactics": [
"TA0011"
],
"mitre": "TA0011",
"threat_family": [
"botnet"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aa204113f4c187101fff73448021a2965f57f817",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"attack_vector": "mozi pattern \u00b7 via JETDIRECT:9100 \u00b7 (commande & contr\u00f4le)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0011 \u2014 via JETDIRECT",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 37
},
"attack_stage": "c2",
"attack_stage_label": "Commande & contr\u00f4le",
"attack_chain_stage": "command_and_control",
"attack_chain_stage_label_fr": "Commande & contr\u00f4le",
"risk_score": 37,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0011",
"mitre_technique": "TA0011",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "mozi pattern \u00b7 via JETDIRECT:9100 \u00b7 (commande & contr\u00f4le)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) C",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "stage"
},
{
"key": "command_and_control",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "command_and_control",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_mozi_pattern"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
Sonde PostgreSQL
postgres probe · via JETDIRECT:9100 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�����������R�L�Oww��Π�&� µM�uE�����k ����i�Z��6 ���[&�үd���Q���[Ӄ���2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������R�L�Oww��Π�&� µM�uE�����k ����i�Z��6����[&�үd���Q���[Ӄ���2�+�/�,�0̨̩� ���
�������/�5���
�#�'�<������������
Requête brute (extrait)
�����������R�L�Oww��Π�&� µM�uE�����k ����i�Z��6 ���[&�үd���Q���[Ӄ���2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<���������������c� ��������������������������� ������������������� �������������������������2�����������������������������+� ����������3�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 1511,
"payload_entropy": 7.724599724971361,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f1902fa9351a35b81ebb34d421fefa4f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003R\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\u0011\u001f\ufffd\ufffdk \ufffd\ufffd\ufffd\u001fi\ufffdZ\ufffd\ufffd6\f\ufffd\ufffd\ufffd[&\ufffd\u04afd\u0006\ufffd\ufffdQ\ufffd\ufffd\u0011[\u04c3\u0010\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003R\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\u0011\u001f\ufffd\ufffdk \ufffd\ufffd\ufffd\u001fi\ufffdZ\ufffd\ufffd6\f\ufffd\ufffd\ufffd[&\ufffd\u04afd\u0006\ufffd\ufffdQ\ufffd\ufffd\u0011[\u04c3\u0010\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005c\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003R\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\u0011\u001f\ufffd\ufffdk \ufffd\ufffd\ufffd\u001fi\ufffdZ\ufffd\ufffd6\f\ufffd\ufffd\ufffd[&\ufffd\u04afd\u0006\ufffd\ufffdQ\ufffd\ufffd\u0011[\u04c3\u0010\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e12a45a6019500dc3f26295c97669408ed7a0e1b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003R\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\u0011\u001f\ufffd\ufffdk \ufffd\ufffd\ufffd\u001fi\ufffdZ\ufffd\ufffd6\f\ufffd\ufffd\ufffd[&\ufffd\u04afd\u0006\ufffd\ufffdQ\ufffd\ufffd\u0011[\u04c3\u0010\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffdR\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\ufffd\ufffdk \ufffd\ufffd\ufffdi\ufffdZ\ufffd\ufffd6\ufffd\ufffd\ufffd[&\ufffd\u04afd\ufffd\ufffdQ\ufffd\ufffd[\u04c3\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003R\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\u0011\u001f\ufffd\ufffdk \ufffd\ufffd\ufffd\u001fi\ufffdZ\ufffd\ufffd6\f\ufffd\ufffd\ufffd[&\ufffd\u04afd\u0006\ufffd\ufffdQ\ufffd\ufffd\u0011[\u04c3\u0010\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdR\ufffdL\ufffdOww\ufffd\ufffd\u03a0\ufffd\uf128&\ufffd \u00b5M\ufffduE\ufffd\ufffd\ufffdk \ufffd\ufffd\ufffdi\ufffdZ\ufffd\ufffd6\ufffd\ufffd\ufffd[&\ufffd\u04afd\ufffd\ufffdQ\ufffd\ufffd[\u04c3\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
9100 · JETDIRECT
|
jetdirect
|
jetdirect
jetdirect · via JETDIRECT:9100 · (sonde / probe)
|
Moyenne
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
http2_preface
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
PRI * HTTP/2.0 SM ���������
Pourquoi cette classification : Type « jetdirect » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0768
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 33,
"payload_entropy": 3.65045472541906,
"port_category": "registered",
"org": "Pilot Fiber, Inc.",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 46450,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "098db2a192f38cf253c354b9432b98bacf217e3a",
"event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0768"
],
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"service_name": "jetdirect",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 46450,
"org": "Pilot Fiber, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "da74b3e9488c0813fcd76f6273b0c115",
"path_pattern_hash": "c07c53e9d81674e63c0ba7ee4ce18080"
},
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 35
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "93790c5aadfd811073314389bbce9937b8789066",
"protocol_details": {
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"pat-0768"
],
"tags_summary_labels_fr": [
"pat-0768"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http2_preface"
]
}
|