{"ip":"160.119.71.136","exported_at":"2026-07-16T23:38:17+00:00","period_days":1,"metrics":{"events7d":2601,"distinct_ports":372,"distinct_classifications":91,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":62,"max_risk_score":76,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["web_injection"],"recommended_action":"investigate","confidence":0.95,"risk_breakdown":{"waf":8,"classification":85,"behavior":0,"geo":0,"protocol":30,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":3735,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":85,"behavior":0,"geo":0,"protocol":30,"novelty":25,"risk_score":53},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":95,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0842"],"tags_summary":["pat-0842"],"attack_vector":"http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr","port":6443,"service":"k8s-api","service_label_fr":"K8S API"},"protocol_summary_fr":"Payload POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nContent-Length\u2026 \u00b7 K8S API:6443","evidence_snippet":"POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr","target_port_label":"6443 \u00b7 K8S API","emulator_service":"k8s-api","confidence_reason":"Confiance 95 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","classification_reason_label_fr":"Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%","confidence_factors_fr":"Confiance 95 % \u2014 Score WAF 8","payload_preview":"POST \/api\/route HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nContent-Length: 517\r\nConnection: close\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr"},"events":[{"id":12607271,"ip":"160.119.71.136","ts":"2026-07-16 23:38:08.000000","proto":"tcp","src_port":57518,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 966, \u0022payload_entropy\u0022: 5.684977692276031, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222dd06a9407402162da8939dd3c94e3be\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gz\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002201bb55ec61497f4453c3bfce06dad6c9696d911d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Andr\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":966},{"id":12607269,"ip":"160.119.71.136","ts":"2026-07-16 23:38:07.000000","proto":"tcp","src_port":57504,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 953, \u0022payload_entropy\u0022: 5.646213549838198, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220471a760903e8b39c3ac63cb82f5ffa3\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228808357176fa5bd2a0d4d5b793f1acef97e5e6b0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":953},{"id":12607270,"ip":"160.119.71.136","ts":"2026-07-16 23:38:07.000000","proto":"tcp","src_port":57514,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 949, \u0022payload_entropy\u0022: 5.670669614280083, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221dfc20bb8c73ea0be33b4fac01a26aeb\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022691d064ddc21aa0531a166a6d0bc83cfa01f197d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":949},{"id":12607268,"ip":"160.119.71.136","ts":"2026-07-16 23:38:06.000000","proto":"tcp","src_port":57498,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 984, \u0022payload_entropy\u0022: 5.681129121079167, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022474c059463d6fe7dcc5004ccb96cdb8b\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002282e05a8579247da36961de0a48e162036fc068e5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":984},{"id":12607266,"ip":"160.119.71.136","ts":"2026-07-16 23:38:05.000000","proto":"tcp","src_port":57484,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 939, \u0022payload_entropy\u0022: 5.654429804002051, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002236f90f608dce0ed1435bc7a042cca20a\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022037fdd5d78638a769c5f75aa5de0724c73351f68\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":939},{"id":12607263,"ip":"160.119.71.136","ts":"2026-07-16 23:38:04.000000","proto":"tcp","src_port":43970,"dst_port":6443,"service":"k8s-api","classification":"kubernetes_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228100e0ba2951eda4f623efc9a065b92ccaae19c9\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00229911336c7fd1406c8e284bedc6c69f4b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022cloud_infra_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f9f340bfc4ed0f48a4e2f9585f4a73ad349d7c3c\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kubernetes_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022kubernetes probe \u00b7 via K8S API:6443 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":12607264,"ip":"160.119.71.136","ts":"2026-07-16 23:38:04.000000","proto":"tcp","src_port":43980,"dst_port":6443,"service":"k8s-api","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75\u0022, \u0022emulator_response_len\u0022: 165, \u0022bytes_in\u0022: 934, \u0022payload_entropy\u0022: 5.648967727783172, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022k8s-api\u0022, \u0022app_proto\u0022: \u0022k8s-api\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226c603893c1dba8383fe7afbcbf5f12b3507d568a\u0022, \u0022event_fingerprint\u0022: \u00225535c85e0f6854b807e5b9ef895f87dbea310cc1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df029caa3a7d12d261212161383b6ae1\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-N\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-N\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002250f2364d0a44c35bb6d19a0803b25a01209f92e3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via K8S API\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 53, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022, \u0022dst_port\u0022: 6443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022port\u0022: 6443, \u0022service\u0022: \u0022k8s-api\u0022, \u0022service_label_fr\u0022: \u0022K8S API\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via K8S API:6443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6443\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00226443 \u00b7 K8S API\u0022, \u0022emulator_service\u0022: \u0022k8s-api\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022k8s_api\u0022, \u0022service_banner\u0022: \u0022honeypot-k8s-api\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022k8s_api_emulated\u0022, \u0022k8s_api_payload\u0022, \u0022kubernetes_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_kubernetes_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":934},{"id":12606296,"ip":"160.119.71.136","ts":"2026-07-16 23:08:43.000000","proto":"tcp","src_port":43004,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 959, \u0022payload_entropy\u0022: 5.619491639627877, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022796b25147baca6fa46872cfd33c982040102c6f4\u0022, \u0022event_fingerprint\u0022: \u0022e72f918ea47985695f09e756ed8b7d3ef3a8bef3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022d2401f3cfe09b8e2e78c190098512964\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002284b4c69c216a808cdf138897e7e9ead7b71f8fbd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":959},{"id":12606297,"ip":"160.119.71.136","ts":"2026-07-16 23:08:43.000000","proto":"tcp","src_port":43020,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 944, \u0022payload_entropy\u0022: 5.648007012132698, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002250b9c2cd6cb55fe2e6a8d3e048c529b2eff27142\u0022, \u0022event_fingerprint\u0022: \u0022900282bdd43ed2e20b24109cc5840ae1daf88c28\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u0022306597194885290cfc1483aee99ff9d4\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNe\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228cb448971f13b5fcbe71b8ae494127645035d154\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 512\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":944},{"id":12606298,"ip":"160.119.71.136","ts":"2026-07-16 23:08:43.000000","proto":"tcp","src_port":43030,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228563f2ed0fd1b3832e8c528ca96b1f98a5b0004e\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 949, \u0022payload_entropy\u0022: 5.65233080834876, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 15, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022946e61eb1a3cc2c88d140ed029bb676ca783baa9\u0022, \u0022event_fingerprint\u0022: \u00222ca3a317238037734cb6a81a96253f1f78537c94\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fcf5bfa409c42db4e4a5f32bcc91f966\u0022, \u0022payload_hash\u0022: \u002276c6b60cba3222287a771a42cbaa4074\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228cd4d686194847cb0c7d8c2c09e99744b3813058\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":949},{"id":12606294,"ip":"160.119.71.136","ts":"2026-07-16 23:08:42.000000","proto":"tcp","src_port":42992,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228563f2ed0fd1b3832e8c528ca96b1f98a5b0004e\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 942, \u0022payload_entropy\u0022: 5.630237769917525, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002215bfa5db64e59f33e3444b0b8ff21c955337e2e1\u0022, \u0022event_fingerprint\u0022: \u0022ee7b685848de52c115b4f3159562b7ff44c59c48\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fcf5bfa409c42db4e4a5f32bcc91f966\u0022, \u0022payload_hash\u0022: \u0022410248c11973e6cc791a4d517bc99be0\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f66279b7f4e3f32d480abc15cc83e96bbebef9aa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":942},{"id":12606293,"ip":"160.119.71.136","ts":"2026-07-16 23:08:41.000000","proto":"tcp","src_port":42982,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221978af5307537775fab4b66b0f1439319be37ce1\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 989, \u0022payload_entropy\u0022: 5.693804578485616, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 11, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002250b9c2cd6cb55fe2e6a8d3e048c529b2eff27142\u0022, \u0022event_fingerprint\u0022: \u00227cf39926092943fec1881f16cd60baf3efd6aaed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227967be4fa492cfad4b86b41e3ae090e9\u0022, \u0022payload_hash\u0022: \u002269976dc140a6ef638f629f1e58cb6fac\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002216acfc124adbecbde671b762936795a0a320f7e0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":989},{"id":12606291,"ip":"160.119.71.136","ts":"2026-07-16 23:08:40.000000","proto":"tcp","src_port":42968,"dst_port":3012,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 0.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ccfe4ff6d704fc2cf2649db0d3d5a2ca4cdd1874\u0022, \u0022event_fingerprint\u0022: \u0022e775f98cebae39b767c47e0125ebe9dd399ee39e\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b33dc35d137bab4f492c4d2092999eff94dff442\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3012}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 3012 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223012\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3012}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 3012 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223012\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12606292,"ip":"160.119.71.136","ts":"2026-07-16 23:08:40.000000","proto":"tcp","src_port":42976,"dst_port":3012,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u0022e433d07af7bb8b26000765e3c2263155e9c1e19e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 942, \u0022payload_entropy\u0022: 5.66174726954984, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3012, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237cc7313f57b76e4e02090af414a692ff14a3b36\u0022, \u0022event_fingerprint\u0022: \u0022978a16cad6018daddf5bc045558ebfee1979f07a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u002224a49c43b7b596d466a3c5e5e44959be\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022058d62b9ad615e69b307133578ea71e7a3d21197\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3012, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 3012, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:3012 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3012\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00223012 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223012\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:3012\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3012","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":942},{"id":12605629,"ip":"160.119.71.136","ts":"2026-07-16 22:47:50.000000","proto":"tcp","src_port":47416,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 952, \u0022payload_entropy\u0022: 5.658398314634366, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a5cc8f2376822a9c3499ca5c091f47a2\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b0601321801567915bcc3ba9dee970a2aca9736\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Wi\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":952},{"id":12605632,"ip":"160.119.71.136","ts":"2026-07-16 22:47:50.000000","proto":"tcp","src_port":47430,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 958, \u0022payload_entropy\u0022: 5.631057678750747, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002221fbd01d497d2e90c7021fc888e4087f\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, defl\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, defl\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ecdb2fadaf61d0e38deb594a1253d4857a84b681\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":958},{"id":12605625,"ip":"160.119.71.136","ts":"2026-07-16 22:47:49.000000","proto":"tcp","src_port":47400,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 982, \u0022payload_entropy\u0022: 5.679944676781437, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002254ce6311a95f4d6c2784831f116ce43b\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; \u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.3\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.3\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f5df8230974a5284d15fe2e4b466bbfc9c12f915\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14;\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":982},{"id":12605626,"ip":"160.119.71.136","ts":"2026-07-16 22:47:49.000000","proto":"tcp","src_port":47406,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 953, \u0022payload_entropy\u0022: 5.636502615022878, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221c922e14266fe50b16d8ef3b07c64c56\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002204649fe74262b0eaa5dc4554f67b864a33417cc9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":953},{"id":12605623,"ip":"160.119.71.136","ts":"2026-07-16 22:47:48.000000","proto":"tcp","src_port":47384,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 980, \u0022payload_entropy\u0022: 5.696953123978992, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f553270499bac2d840b4bda8e113746a\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccep\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233f39f6141e580c1ac1d420457d12b00f66e5029\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9;\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":980},{"id":12605621,"ip":"160.119.71.136","ts":"2026-07-16 22:47:47.000000","proto":"tcp","src_port":47382,"dst_port":10001,"service":"memcached-alt","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 928, \u0022payload_entropy\u0022: 5.6017734752839266, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283ebf3e8a5cba2c6d6f1977c4aa7e1e980d7a716\u0022, \u0022event_fingerprint\u0022: \u00225d393a0db7e2c5a66bd33c9f59feee136ae2f314\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ce6fe8042918e33baad8a9b56edeb45\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-N\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-N\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b47a7a95de8677a9c3b6ed13e2899804c98df73c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via MEMCACHED ALT\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via MEMCACHED ALT:10001 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10001\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":928},{"id":12605620,"ip":"160.119.71.136","ts":"2026-07-16 22:47:46.000000","proto":"tcp","src_port":47378,"dst_port":10001,"service":"memcached-alt","classification":"memcached-alt","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022app_proto\u0022: \u0022memcached-alt\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 10001, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022140e92b59595c15f27661830384dc2811c171835\u0022, \u0022event_fingerprint\u0022: \u0022774499d61a821a4bd2b4da0dfeb387978087a7bf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022927bc142a6309629937cd02fbd617a2e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224f828fa8efb1fac4843592d862c5f6a77203da73\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022memcached-alt \u00b7 via MEMCACHED ALT:10001 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab memcached-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022, \u0022dst_port\u0022: 10001, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 10001, \u0022service\u0022: \u0022memcached-alt\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED ALT\u0022}, \u0022attack_vector\u0022: \u0022memcached-alt \u00b7 via MEMCACHED ALT:10001 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002210001 \u00b7 MEMCACHED ALT\u0022, \u0022emulator_service\u0022: \u0022memcached-alt\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached_alt\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached-alt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210001\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12595987,"ip":"160.119.71.136","ts":"2026-07-16 22:24:16.000000","proto":"tcp","src_port":56814,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 1000, \u0022payload_entropy\u0022: 5.670204073391556, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fd2692eb336b05b3844961ebd1f0278c\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222635efbb20fa602c6359fc4686fd52651e18aa59\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":1000},{"id":12595982,"ip":"160.119.71.136","ts":"2026-07-16 22:24:15.000000","proto":"tcp","src_port":48830,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 954, \u0022payload_entropy\u0022: 5.654566501088918, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c2b996030045b3e204548a613f1d5c07\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT \u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ec234253a96d203de7db68566a2fc9069535fa2d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":954},{"id":12595983,"ip":"160.119.71.136","ts":"2026-07-16 22:24:15.000000","proto":"tcp","src_port":56800,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 960, \u0022payload_entropy\u0022: 5.681065494658642, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239e4cc51b4b4223750876cd374ae7c27\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, de\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221ee0887e78686a695c0bcbe33cb47207b6981a82\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":960},{"id":12595981,"ip":"160.119.71.136","ts":"2026-07-16 22:24:14.000000","proto":"tcp","src_port":48816,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 984, \u0022payload_entropy\u0022: 5.700351336738496, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f30684078afc24094432a25847fb11b2\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AFTWMST22 Build\/PS7233; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/88.0.4324.152 Mobile Safari\/537.36\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cd38b64358370738c9aa443a3f48b815d7e53e21\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; AF\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":984},{"id":12595980,"ip":"160.119.71.136","ts":"2026-07-16 22:24:13.000000","proto":"tcp","src_port":48806,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 939, \u0022payload_entropy\u0022: 5.640388456469496, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002216182504fd0f49bd5f0a8b4fc6362ee7\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e5dd10162c7a74cd63643bd10465c67aca56faa2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":939},{"id":12595977,"ip":"160.119.71.136","ts":"2026-07-16 22:24:12.000000","proto":"tcp","src_port":48790,"dst_port":6002,"service":"x11-2","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022bytes_in\u0022: 964, \u0022payload_entropy\u0022: 5.674135703216539, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b068d574cd09cc1c6541ffdece7dce809559bc2b\u0022, \u0022event_fingerprint\u0022: \u002292a505b7a4b1ed70159d9f97054b022dcfe7159c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222e4edfe446b1001198fecf637f81b3d3\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, defla\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, defla\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a4b38366e5fbf86e4819ad61b78e95caa3acc2e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via X11 2\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via X11 2:6002 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:6002\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":964},{"id":12595976,"ip":"160.119.71.136","ts":"2026-07-16 22:24:11.000000","proto":"tcp","src_port":48784,"dst_port":6002,"service":"x11-2","classification":"x11-2","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a\u0022, \u0022emulator_response_len\u0022: 36, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022x11-2\u0022, \u0022app_proto\u0022: \u0022x11-2\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 6002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e7d282a0ec19c46689c9e64b2d1946d47190a742\u0022, \u0022event_fingerprint\u0022: \u002248f3321cd2ff669cc459d0416d74b754cdcc79de\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022db0b049a283e8c56ee1d83545ddd27af\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002245f6944fde49748263403f07ca378198f90710cc\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022x11-2 \u00b7 via X11 2:6002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022, \u0022dst_port\u0022: 6002, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 6002, \u0022service\u0022: \u0022x11-2\u0022, \u0022service_label_fr\u0022: \u0022X11 2\u0022}, \u0022attack_vector\u0022: \u0022x11-2 \u00b7 via X11 2:6002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00226002 \u00b7 X11 2\u0022, \u0022emulator_service\u0022: \u0022x11-2\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022x11_2\u0022, \u0022service_banner\u0022: \u0022honeypot-x11-2\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12583087,"ip":"160.119.71.136","ts":"2026-07-16 22:00:28.000000","proto":"tcp","src_port":42508,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 921, \u0022payload_entropy\u0022: 5.612483484458075, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b77d805d5661b969e0961291113d8b32\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT \u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: po\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: po\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b932c8ab4005fab5e0437b49d66ad2fbc5f1a2f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":921},{"id":12583089,"ip":"160.119.71.136","ts":"2026-07-16 22:00:28.000000","proto":"tcp","src_port":42510,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 906, \u0022payload_entropy\u0022: 5.605843194903964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fe3686003bac086be17debcb5f4f76cd\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nC\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e44cd95f059810f473645b1d1f93983f49c2b4b5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":906},{"id":12583091,"ip":"160.119.71.136","ts":"2026-07-16 22:00:28.000000","proto":"tcp","src_port":42512,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 950, \u0022payload_entropy\u0022: 5.640429256522991, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225e94f8e428ad6f84418af7a818c41959\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022754ed4c6f0c55d530c2cdaa127b796c8e2f21b29\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":950},{"id":12583080,"ip":"160.119.71.136","ts":"2026-07-16 22:00:27.000000","proto":"tcp","src_port":42494,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 937, \u0022payload_entropy\u0022: 5.626965925375245, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002292836589c9922b475c1bd1fb645f8178\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002234c937b3834d01443ee15e0848c4a5b9296617be\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 145\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":937},{"id":12583066,"ip":"160.119.71.136","ts":"2026-07-16 22:00:26.000000","proto":"tcp","src_port":42478,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 963, \u0022payload_entropy\u0022: 5.6695567254997, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ced0624faa5963a154da3d7265db863f\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android \u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, \u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.2.2; he-il; NEO-X5-116A Build\/JDQ39) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Safari\/534.30\\r\\nAccept-Encoding: gzip, \u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bfa45ba08e1c55da14ad7190389b3f69300f135a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; U; Android\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":963},{"id":12583043,"ip":"160.119.71.136","ts":"2026-07-16 22:00:25.000000","proto":"tcp","src_port":52614,"dst_port":3050,"service":"firebird","classification":"firebird_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e4596522212c693bd6158bffd566553ff7c85e0b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab firebird_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00226e1650c772b75626cc366734cce9c329\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220c1a2c3dcb951e6d73f450989bb3cb126e1d0786\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022firebird probe \u00b7 via FIREBIRD:3050 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab firebird_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab firebird_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022firebird probe \u00b7 via FIREBIRD:3050 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":12583051,"ip":"160.119.71.136","ts":"2026-07-16 22:00:25.000000","proto":"tcp","src_port":52622,"dst_port":3050,"service":"firebird","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022000000090000000003\u0022, \u0022emulator_response_len\u0022: 9, \u0022bytes_in\u0022: 941, \u0022payload_entropy\u0022: 5.662296380518599, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022firebird\u0022, \u0022app_proto\u0022: \u0022firebird\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 3050, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ab03b99004393e3ebc9b094953b8d30e20f7d98b\u0022, \u0022event_fingerprint\u0022: \u0022ccb7e0f3a022cfd04a51e40ccd64f2e9875c39ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022519b76d395d1c41e745ae06b42020581\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f752bdc1a03b1ab5bafd9e978d14397c612d5995\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via FIREBIRD\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022, \u0022dst_port\u0022: 3050, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022port\u0022: 3050, \u0022service\u0022: \u0022firebird\u0022, \u0022service_label_fr\u0022: \u0022FIREBIRD\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via FIREBIRD:3050 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:3050\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS\u0022, \u0022target_port_label\u0022: \u00223050 \u00b7 FIREBIRD\u0022, \u0022emulator_service\u0022: \u0022firebird\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022firebird\u0022, \u0022service_banner\u0022: \u0022honeypot-firebird\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223050\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022firebird_emulated\u0022, \u0022firebird_payload\u0022, \u0022mozi_pattern\u0022, \u0022net_firebird_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":941},{"id":12567040,"ip":"160.119.71.136","ts":"2026-07-16 21:37:37.000000","proto":"tcp","src_port":51330,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022affd667937319ba36aa098ac5e3b53f4e282c1fe\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 975, \u0022payload_entropy\u0022: 5.67468850614206, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225b054e599cc208b129456528a3871422870a5da7\u0022, \u0022event_fingerprint\u0022: \u002221dd29ff13a08abca55105dcc9de2f1584941ee3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226990db627a3d5a6ae3f8a2c22924225b\u0022, \u0022payload_hash\u0022: \u0022a8cbe6652184f48e9a83ac82ed5f688a\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1\\r\\nAccept-Enco\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228980c8cfe646125d774df161e98072091ae25c3a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mob\u2026\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iP\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (iPhone; CPU iPhone OS 17_7 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/134.0.6998.99 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":975},{"id":12567038,"ip":"160.119.71.136","ts":"2026-07-16 21:37:37.000000","proto":"tcp","src_port":51322,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221c1f86ba252c0c8ebc250acab48718f12d6d1efd\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 928, \u0022payload_entropy\u0022: 5.643417946361074, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c59e0e64ac61f10850708470f3d6edf657bdb2e5\u0022, \u0022event_fingerprint\u0022: \u0022f00f6b24d773d8bde9bcb150d9e66e8583e96a20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002272d43eb808798db218d063798749cc39\u0022, \u0022payload_hash\u0022: \u00223737a6498a9770119f0426ac08a1cb37\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-R\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227f1ae49fcb5caa938b165e8a020c25131bf8ae12\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) A\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":928},{"id":12567035,"ip":"160.119.71.136","ts":"2026-07-16 21:37:36.000000","proto":"tcp","src_port":51308,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 944, \u0022payload_entropy\u0022: 5.658179657644291, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228f3396a82fecb2c6eea1e1d89af4b16e3c23e8bb\u0022, \u0022event_fingerprint\u0022: \u0022f88d5f055bd9366ab7babc1fc9332e95f96aeb34\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022711a8caee3ad46bd2cf5d0c2c7c39eaa\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002282205378e1660356aba5aa5bf6da668bcad3e15d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":944},{"id":12567036,"ip":"160.119.71.136","ts":"2026-07-16 21:37:36.000000","proto":"tcp","src_port":51314,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 959, \u0022payload_entropy\u0022: 5.633598631007555, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d7f739125142c79df197cef7b058b69d64488ce7\u0022, \u0022event_fingerprint\u0022: \u0022db206961638ccd6b03dd3851eb8ac87f259a88b5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u002274c30cb023846ac50499af75c3f8fdd1\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ba05a44d8f54f13afa59c114623342c6aeb4ffe\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":959},{"id":12567033,"ip":"160.119.71.136","ts":"2026-07-16 21:37:35.000000","proto":"tcp","src_port":35092,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 933, \u0022payload_entropy\u0022: 5.665728160982721, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022904ba5a8303c959071cf58222ae0f4b8208c2632\u0022, \u0022event_fingerprint\u0022: \u00220fd5e53101ce6a01518499d83f1288e01d5ee635\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u0022c42cacde9745e5381d1bbb3273136e76\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Ne\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Ne\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221d332d1080014131fc349e3bd16baf2cda05d89d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":933},{"id":12567034,"ip":"160.119.71.136","ts":"2026-07-16 21:37:35.000000","proto":"tcp","src_port":51306,"dst_port":8004,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d336075c3988c6b7205cebd57d13f49ace6a0b3b\u0022, \u0022http_host_hash\u0022: \u00221397ca07af082e84dda99de43d53a32d001ddc1b\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 938, \u0022payload_entropy\u0022: 5.674446887680444, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c59e0e64ac61f10850708470f3d6edf657bdb2e5\u0022, \u0022event_fingerprint\u0022: \u002232982caaf741077be0408e2829d95e31d40ae19b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225ea6889a59d080298a42c0e1b4758211\u0022, \u0022payload_hash\u0022: \u002217d9f80fb7a20943fce6d2f6d8eda32d\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223e47071576c764558625de43e4a965f437a9e052\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8004, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8004 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8004\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 1\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8004\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8004","http_user_agent":"Mozilla\/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":938},{"id":12567032,"ip":"160.119.71.136","ts":"2026-07-16 21:37:34.000000","proto":"tcp","src_port":35076,"dst_port":8004,"service":"http-alt-8004","classification":"http-alt-8004","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http-alt-8004\u0022, \u0022app_proto\u0022: \u0022http-alt-8004\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8004, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223655e498a6900252f8c5d3b95612083030efdf4b\u0022, \u0022event_fingerprint\u0022: \u00224b1decdc5433fc714f50aea5037261585c0d6999\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8004 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http-alt-8004\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00228897835eec14d9ee2cd85c1470ad4cdd\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8004, \u0022service\u0022: \u0022http-alt-8004\u0022, \u0022service_name\u0022: \u0022http-alt-8004\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022188ef29b46b7fd075c974e5c4a8eb1e763eb2e71\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8004, \u0022service\u0022: \u0022http-alt-8004\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8004\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8004 \u00b7 via HTTP ALT 8004:8004 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP ALT 8004\u0022, \u0022emulator_service\u0022: \u0022http-alt-8004\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8004 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8004 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8004\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8004\u0022, \u0022dst_port\u0022: 8004, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8004\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8004, \u0022service\u0022: \u0022http-alt-8004\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8004\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8004 \u00b7 via HTTP ALT 8004:8004 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228004 \u00b7 HTTP ALT 8004\u0022, \u0022emulator_service\u0022: \u0022http-alt-8004\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8004\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8004\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228004\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12562606,"ip":"160.119.71.136","ts":"2026-07-16 21:01:38.000000","proto":"tcp","src_port":60792,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00221978af5307537775fab4b66b0f1439319be37ce1\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 996, \u0022payload_entropy\u0022: 5.6787485205497426, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022035b18e6307d46f16ddf1dfe523fde616b5c10bd\u0022, \u0022event_fingerprint\u0022: \u002255ef122b91d15a9e9693c8e8b40f81e5d7db351b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00227967be4fa492cfad4b86b41e3ae090e9\u0022, \u0022payload_hash\u0022: \u00227c64124251009de5401d75833f2f91bc\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safa\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safa\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226d7ef67e4ec705c266c5619a761c79528486843\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 \u2026\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Andr\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Linux; Android 14; SM-F9560 Build\/UP1A.231005.007; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/127.0.6533.103 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":996},{"id":12562607,"ip":"160.119.71.136","ts":"2026-07-16 21:01:38.000000","proto":"tcp","src_port":60794,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/app","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228563f2ed0fd1b3832e8c528ca96b1f98a5b0004e\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u00220c35eebf403cf91fe77a64921d76aa1ca6411d20\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 949, \u0022payload_entropy\u0022: 5.649562374156473, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226dd331160e0bddf6a513973b1d12f2e01f5f8f88\u0022, \u0022event_fingerprint\u0022: \u00225307c75f6521047860c74b7cfeab59a860cc35af\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022fcf5bfa409c42db4e4a5f32bcc91f966\u0022, \u0022payload_hash\u0022: \u0022e00126c6db229359f2b9bab3c9c9efd0\u0022, \u0022path_pattern_hash\u0022: \u0022f53b52ad6d21cceb72dfa78fb67614fe\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/app\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action\u0022, \u0022payload_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022db2cd61ae833cce006158d22056807d3b7b2cf0e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/app\u0022, \u0022request_line\u0022: \u0022POST \/app HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/app\u0022, \u0022evidence_snippet\u0022: \u0022POST \/app HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 522\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Linux; Android 10; K\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Linux; Android 10; K) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.6998.135 Mobile Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":949},{"id":12562608,"ip":"160.119.71.136","ts":"2026-07-16 21:01:38.000000","proto":"tcp","src_port":60806,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":62,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api\/route","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00220703723cf11531696e7769eb22f8d9b281390533\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u00221a9b2c3dbe8a713bfc0c240bb1a6ea2141b55601\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 943, \u0022payload_entropy\u0022: 5.659150710141214, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 16, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224e58a0dc188cda2e9732c32b4ca5dfa38933fcc6\u0022, \u0022event_fingerprint\u0022: \u00229f90a80fbf92bc06648891f2462494fd383ee232\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c9d890423bdd8f672926a6e46bf361c3\u0022, \u0022payload_hash\u0022: \u0022f550aa8ec662eb67a5ce8a5533a33fe8\u0022, \u0022path_pattern_hash\u0022: \u00227c4fe35e07eebe8bea27a36c14378e32\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\/route\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c81f366ac7fe0e7e20e566e89db7c9d99b3b73d8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\/route\u0022, \u0022request_line\u0022: \u0022POST \/api\/route HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\/route\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api\/route HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 10 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 10 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_api_route_probe\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":943},{"id":12562605,"ip":"160.119.71.136","ts":"2026-07-16 21:01:37.000000","proto":"tcp","src_port":60782,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":56,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022]","http_method":"POST","http_target":"\/api","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u0022ada91241341ae792ecf0a59cad28616a77bab856\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 943, \u0022payload_entropy\u0022: 5.652225249936106, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 14, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a448a8ebff885d4b2b211d8e0a036880f6528fd1\u0022, \u0022event_fingerprint\u0022: \u0022dfe9f8820ce8189ad3ee7fee8e0c517173dd1ef7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u0022c6dceefea6ac4c2b07178a1475509c3b\u0022, \u0022path_pattern_hash\u0022: \u0022702acf7c08d3b03b321d97b4903ad221\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/api\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022k8s-api\u0022], \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Actio\u0022, \u0022payload_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eaaf261ba61a0b6e6e886d73b151ca603852f6b3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/api\u0022, \u0022request_line\u0022: \u0022POST \/api HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/api\u0022, \u0022evidence_snippet\u0022: \u0022POST \/api HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 517\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950600:k8s-api\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_probe_api\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":943},{"id":12562604,"ip":"160.119.71.136","ts":"2026-07-16 21:01:36.000000","proto":"tcp","src_port":60766,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":52,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022a76e08b809549a8ef70acaf7074b5caa8a051858\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u0022afd9bdeafd8c657f6b493ada03c51e348516227b\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 947, \u0022payload_entropy\u0022: 5.654902244252276, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226dd331160e0bddf6a513973b1d12f2e01f5f8f88\u0022, \u0022event_fingerprint\u0022: \u00224f1e74f0e2f92f9d59b8521d71839021ad8814bd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264a32e80cd1b4b7b1af4cc78f58848ee\u0022, \u0022payload_hash\u0022: \u0022769a5b5506bf1315f44ee9d35d970a23\u0022, \u0022path_pattern_hash\u0022: \u0022bfd33612e3863357684bd23d10455a76\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0\\r\\nAccept-Encoding: gzip, deflate\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002282d389cf51f900653c3f67031746763b1d4f648b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\u0022, \u0022request_line\u0022: \u0022POST \/_next HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134\u2026\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 513\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; W\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 8 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 8 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36 Edg\/134.0.0.0","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":947},{"id":12562601,"ip":"160.119.71.136","ts":"2026-07-16 21:01:35.000000","proto":"tcp","src_port":60746,"dst_port":8005,"service":"http-alt-8005","classification":"http-alt-8005","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http-alt-8005\u0022, \u0022app_proto\u0022: \u0022http-alt-8005\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d9af369bde4e2828665e2d4e9860ebc242ac85ed\u0022, \u0022event_fingerprint\u0022: \u0022701e9661ceed5a960b420218a0913f7296688bbc\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8005 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http-alt-8005\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u00221447265d540bf94fc553db8c676a07e1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http-alt-8005\u0022, \u0022service_name\u0022: \u0022http-alt-8005\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef3d53a2a3a411f37ee5257e9cf6963f6cb147cc\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 8005, \u0022service\u0022: \u0022http-alt-8005\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8005\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8005 \u00b7 via HTTP ALT 8005:8005 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP ALT 8005\u0022, \u0022emulator_service\u0022: \u0022http-alt-8005\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http-alt-8005 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http-alt-8005 \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http-alt-8005\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8005\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http-alt-8005\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 8005, \u0022service\u0022: \u0022http-alt-8005\u0022, \u0022service_label_fr\u0022: \u0022HTTP ALT 8005\u0022}, \u0022attack_vector\u0022: \u0022http-alt-8005 \u00b7 via HTTP ALT 8005:8005 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP ALT 8005\u0022, \u0022emulator_service\u0022: \u0022http-alt-8005\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http_alt_8005\u0022, \u0022service_banner\u0022: \u0022honeypot-http-alt-8005\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12562603,"ip":"160.119.71.136","ts":"2026-07-16 21:01:35.000000","proto":"tcp","src_port":60756,"dst_port":8005,"service":"http","classification":"http_smuggling_probe","waf_score":55,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022fac64969f9eca34262c56352be2d62dd2d22b1a0\u0022, \u0022http_host_hash\u0022: \u00227bfcd12b5dbd455ba71259931b26992d0bd516d8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 903, \u0022payload_entropy\u0022: 5.633434360301364, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 8005, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 72, \u0022tag_count\u0022: 13, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002280b5fcb7933523f151c1488fb5713bc3f05c8e6b\u0022, \u0022event_fingerprint\u0022: \u00221481542461ea81f594f7670822f75aa73bc92829\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229f10b48170735feac18b44fa385fef37\u0022, \u0022payload_hash\u0022: \u0022c321dabe4f97f5652934dc94baea2f89\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 72}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nCont\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\\r\\nAccept-Encoding: gzip, deflate\\r\\nNext-Action: x\\r\\nX-Nextjs-Request-Id: poop1234\\r\\nCont\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223e4cfd345772df2109289f1298d465ece95f420\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 72\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 72, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 72, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8005, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.\u0022, \u0022port\u0022: 8005, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:8005 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8005\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64;\u0022, \u0022target_port_label\u0022: \u00228005 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228005\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022http-alt-8005\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8005","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko\/20100101 Firefox\/136.","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":903},{"id":12560197,"ip":"160.119.71.136","ts":"2026-07-16 20:39:55.000000","proto":"tcp","src_port":36250,"dst_port":9901,"service":"http","classification":"http_smuggling_probe","waf_score":58,"waf_tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022]","http_method":"POST","http_target":"\/_next\/server","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 9, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00228447a2dfcfbbdcc75d5b5272da958411ec73dd1a\u0022, \u0022http_host_hash\u0022: \u00229a0d91d976f8736fe81fe3d8c16dfb97e2f2ee63\u0022, \u0022http_target_hash\u0022: \u0022bef481449499f499a0b29ed75c9630076205b04f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 953, \u0022payload_entropy\u0022: 5.642979882778687, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 49870, \u0022country\u0022: \u0022SC\u0022, \u0022dst_port\u0022: 9901, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 10, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 73, \u0022tag_count\u0022: 12, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ba9f2d3fe29c34fc92e5683f3b1c4e03901cf920\u0022, \u0022event_fingerprint\u0022: \u00223dde3ac5d445241b11c4f91d55178f37cab1c814\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 73, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SC\u0022, \u0022asn\u0022: 49870, \u0022org\u0022: \u0022Alsycon B.V.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002293af66442f9c9958e5fcc0142d9e74de\u0022, \u0022payload_hash\u0022: \u00222345e168af565cf11b2ecf2c465a2fe5\u0022, \u0022path_pattern_hash\u0022: \u00224d9c4ca8a8065d3ce7073b6b23f61056\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9901, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 73}, \u0022payload_preview\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; \u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/_next\/server\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022], \u0022waf_rule_names\u0022: [\u0022sqli-4\u0022, \u0022rce-0\u0022, \u0022rce-2\u0022, \u0022rce-14\u0022, \u0022nosqli-3\u0022, \u0022proto-0\u0022, \u0022upload-0\u0022], \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\\r\\nAccept-Encoding: gzip, deflate\\r\\nN\u0022, \u0022payload_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ad00669b46d0e9f2b494ff692de068c81547b0c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 9901, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:9901 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022target_port_label\u0022: \u00229901 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 73\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 73, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 73, \u0022risk_label\u0022: \u0022\u00c9lev\u00e9\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9901, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/_next\/server\u0022, \u0022request_line\u0022: \u0022POST \/_next\/server HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\u0022, \u0022port\u0022: 9901, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:9901 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/_next\/server\u0022, \u0022evidence_snippet\u0022: \u0022POST \/_next\/server HTTP\/1.1\\r\\nHost: 62.3.50.33:9901\\r\\nContent-Length: 518\\r\\nConnection: close\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh;\u0022, \u0022target_port_label\u0022: \u00229901 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 9 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 9 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229901\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:9901\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9901","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950019:sqli-4\u0022, \u0022950326:rce-0\u0022, \u0022950327:rce-0\u0022, \u0022950335:rce-2\u0022, \u0022950382:rce-14\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950493:proto-0\u0022, \u0022950549:upload-0\u0022, \u0022http_contenttype_attack_surface\u0022, \u0022http_prototype_pollution\u0022, \u0022http_ssti\u0022]","anomalies":"[]","severity":10,"bytes_in":953}],"total_events":407}