Détails IP 159.192.96.84

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Rafale d'authentification SSH · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 131090 · 159.192.96.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 8 événements sur la période pour cette IP.

134.236.77.49 Sonde SMB 17/06/2026 04:01 UTC
61.7.147.229 mssql probe 15/06/2026 11:19 UTC
122.154.58.9 Sonde SSH 31/05/2026 20:04 UTC
116.58.239.144 msrpc 21/05/2026 05:45 UTC
159.192.146.114 Sonde TLS 13/05/2026 19:20 UTC
164.155.49.85 telnet attack 05/05/2026 18:43 UTC
159.192.146.106 Sonde TLS 03/05/2026 15:14 UTC
164.155.49.172 telnet attack 01/05/2026 06:38 UTC

IPs apparentées

Même FAI National Telecom Public Company Limited — corrélation indicative.

134.236.77.49 Sonde SMB
61.7.147.229 mssql probe
122.154.58.9 Sonde SSH
116.58.239.144 msrpc
159.192.146.114 Sonde TLS

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

MSSQL TCP 4 MYSQL TCP 2 SMB TCP 2

MSSQL

4

MYSQL

2

SMB

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

8 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
08/06/2026 01:22:35 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_bruteforce net_mysql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mysql", "app_proto": "mysql", "asn": 131090, "country": "TH", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "28c3e957cec1e2b5b9c147f5c24a54d3fb68a28e", "event_fingerprint": "7e64d2ea7efbfd080eb620b69c685e7503a67a61", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d87eabda010f230394a108b83b46c81d17bb7d38", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": null, "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "mssql", "mysql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_bruteforce", "net_mysql_probe" ] }
08/06/2026 01:22:35 UTC	TCP	3306 · MYSQL	mysql	Scan de ports port scan syn · via MYSQL:3306 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur MYSQL WAF — Recommandation Surveiller Tags mysql_emulated mysql_handshake net_bruteforce net_mysql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3306 Chemin / cible — Service MYSQL Payload B��@rootmysqlmysql_native_password Pourquoi cette classification : Rafale d'authentification SSH · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) B��@rootmysqlmysql_native_password Meta JSON brut { "protocol_emulated": true, "emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400", "emulator_response_len": 60, "bytes_in": 70, "payload_entropy": 3.340427396359359, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mysql", "app_proto": "mysql", "asn": 131090, "country": "TH", "dst_port": 3306, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "28c3e957cec1e2b5b9c147f5c24a54d3fb68a28e", "event_fingerprint": "7e64d2ea7efbfd080eb620b69c685e7503a67a61", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mysql", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fa74385965b648f49d9603d41c99267c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 3306, "service": "mysql", "service_name": "mysql", "risk_score": 42 }, "payload_preview": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "request_sample": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "payload_snippet": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "evidence": { "request_sample": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "payload_snippet": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "31c21416b1ec75caa15ec926476991f305da8cb2", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "payload_preview": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "evidence_snippet": "B\ufffd\ufffd@rootmysqlmysql_native_password", "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%", "classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MYSQL \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mysql", "service_label_fr": "MYSQL", "dst_port": 3306, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "8.0.32-MySQL", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mysql_auth_fr": "Handshake MySQL (auth)", "payload_preview": "B\u0000\u0000\u0001\ufffd\ufffd\u000e\u0000\u0000\u0000\u0000@\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000root\u0000\u0000mysql\u0000mysql_native_password\u0000", "port": 3306, "service": "mysql", "service_label_fr": "MYSQL" }, "attack_vector": "port scan syn \u00b7 via MYSQL:3306 \u00b7 (reconnaissance)", "evidence_snippet": "B\ufffd\ufffd@rootmysqlmysql_native_password", "target_port_label": "3306 \u00b7 MYSQL", "emulator_service": "mysql", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mysql", "service_banner": "8.0.32-MySQL", "service_os": "linux", "dst_port": "3306" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "mssql", "mysql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mysql_emulated", "mysql_handshake", "net_bruteforce", "net_mysql_probe" ] }
08/06/2026 01:22:23 UTC	TCP	1433 · MSSQL	mssql	Protocole TDS MSSQL mssql tds · via MSSQL:1433 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload )�U0 Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) )�U0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 41, "payload_entropy": 2.824666483818309, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mssql", "app_proto": "mssql", "asn": 131090, "country": "TH", "dst_port": 1433, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "584dc8ab43572550a5af46f03637ac724e8c86c3", "event_fingerprint": "24635733bde8ab881cad2aa5e51b4b5bf5e45e9f", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e52866930b41bd4c0ecfbea09f825538", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f45bda00f7ca27ad92e1b779c1a74cd6ec6e56af", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": ")\ufffdU0", "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "evidence_snippet": ")\ufffdU0", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "mssql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_mssql_tds" ] }
08/06/2026 01:22:14 UTC	TCP	1433 · MSSQL	mssql	Protocole TDS MSSQL mssql tds · via MSSQL:1433 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload )�U0 Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) )�U0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 41, "payload_entropy": 2.824666483818309, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mssql", "app_proto": "mssql", "asn": 131090, "country": "TH", "dst_port": 1433, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "584dc8ab43572550a5af46f03637ac724e8c86c3", "event_fingerprint": "24635733bde8ab881cad2aa5e51b4b5bf5e45e9f", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e52866930b41bd4c0ecfbea09f825538", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f45bda00f7ca27ad92e1b779c1a74cd6ec6e56af", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": ")\ufffdU0", "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "evidence_snippet": ")\ufffdU0", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "mssql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_mssql_tds" ] }
08/06/2026 01:22:07 UTC	TCP	1433 · MSSQL	mssql	Protocole TDS MSSQL mssql tds · via MSSQL:1433 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload )�U0 Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 95% Confiance classification 100% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) )�U0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 41, "payload_entropy": 2.824666483818309, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mssql", "app_proto": "mssql", "asn": 131090, "country": "TH", "dst_port": 1433, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "584dc8ab43572550a5af46f03637ac724e8c86c3", "event_fingerprint": "24635733bde8ab881cad2aa5e51b4b5bf5e45e9f", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 1, "classification_confidence": 1, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e52866930b41bd4c0ecfbea09f825538", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f45bda00f7ca27ad92e1b779c1a74cd6ec6e56af", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": ")\ufffdU0", "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 10, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000\u00000\u000e\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "evidence_snippet": ")\ufffdU0", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "mssql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_mssql_tds" ] }
08/06/2026 01:22:06 UTC	TCP	1433 · MSSQL	mssql	mssql probe mssql probe · via MSSQL:1433 · (sonde / probe)	Élevée	Faible · 21
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated net_mssql_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Pourquoi cette classification : Type « mssql_probe » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 21 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "National Telecom Public Company Limited", "service": "mssql", "app_proto": "mssql", "asn": 131090, "country": "TH", "dst_port": 1433, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 21, "tag_count": 2, "anomaly_count": 0, "campaign_key": "1a5b2fa475f95e8d817d64405cb3644e25f7ec32", "event_fingerprint": "6e104f6072c052d0dd22893d2f1fa140642f7c7c", "classification_reason": "Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 21, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "6d4ca317e1154f7afb07772c79279a04" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 21 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26b7a6df5d89ce56b26b7300a9dcbd23c6a4f162", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab mssql_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 21, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 21, "risk_label": "Faible", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "mssql", "smb" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "net_mssql_probe" ] }
08/06/2026 01:21:57 UTC	TCP	445 · SMB	smb	Protocole TDS MSSQL mssql tds · via SMB:445 · (sonde / probe)	Élevée	Faible · 32
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_smb_probe smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Payload T�SMBr(DmB�1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12 Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 32 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0356 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) T�SMBr(DmB�1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000048", "emulator_response_len": 4, "bytes_in": 88, "payload_entropy": 3.701137069879752, "port_category": "well_known", "org": "National Telecom Public Company Limited", "service": "smb", "app_proto": "smb", "asn": 131090, "country": "TH", "dst_port": 445, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 32, "tag_count": 2, "anomaly_count": 0, "campaign_key": "90eadff6383eb9d1d8f3257adde4c79c467b3287", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0356", "pat-0554" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0356", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "cb970f018306412ae8aedb1d637f4198", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 32 }, "payload_preview": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "request_sample": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "payload_snippet": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bdce039df2a4db5c03b9bfd1aaafea1b8a5a4d88", "protocol_details": { "payload_preview": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "evidence_snippet": "T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12", "attack_vector": "mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 32 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 32, "risk_label": "Faible", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": [ "pat-0356" ], "tags_summary_labels_fr": [ "pat-0356" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000T\ufffdSMBr\u0000\u0000\u0000\u0000\u0018\u0001(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000Dm\u0000\u0000B\ufffd\u00001\u0000\u0002LANMAN1.0\u0000\u0002LM1.2X002\u0000\u0002NT LANMAN 1.0\u0000\u0002NT LM 0.12\u0000", "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "mssql tds \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": "T\ufffdSMBr(DmB\ufffd1LANMAN1.0LM1.2X002NT LANMAN 1.0NT LM 0.12", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_smb_probe", "smb_emulated" ] }
08/06/2026 01:21:55 UTC	TCP	445 · SMB	smb	Sonde SMB smb probe · via SMB:445 · (sonde / probe)	Élevée	Faible · 21
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur SMB WAF — Recommandation Surveiller Tags net_smb_probe smb_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 445 Chemin / cible — Service SMB Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 21 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "National Telecom Public Company Limited", "service": "smb", "app_proto": "smb", "asn": 131090, "country": "TH", "dst_port": 445, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 21, "tag_count": 2, "anomaly_count": 0, "campaign_key": "90eadff6383eb9d1d8f3257adde4c79c467b3287", "event_fingerprint": "c2dcd725f3d49cc7233ad16d1772dcd2f3d0439d", "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 21 }, "named_classification_skipped": false, "service_name": "smb", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "TH", "asn": 131090, "org": "National Telecom Public Company Limited", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504" }, "target_context": { "dst_port": 445, "service": "smb", "service_name": "smb", "risk_score": 21 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef65a26a218aa90e71bfdd5be23cdac9a07fef86", "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 21 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 21, "risk_label": "Faible", "service_name": "smb", "service_label_fr": "SMB", "dst_port": 445, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-smb", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 445, "service": "smb", "service_label_fr": "SMB" }, "attack_vector": "smb probe \u00b7 via SMB:445 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "445 \u00b7 SMB", "emulator_service": "smb", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "smb", "service_banner": "honeypot-smb", "service_os": "linux", "dst_port": "445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_smb_probe", "smb_emulated" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

159.192.96.84

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence