Renseignement sur les menaces

États-Unis

162.240.226.121

FAI Unified Layer Première vue 16/05/2026 10:16 UTC Dernière vue 17/06/2026 07:03 UTC Risque Élevé

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 75/100 Élevé

Première observation 16/05/2026 10:16 UTC

Dernière observation 17/06/2026 07:03 UTC

Événements (période) 102

MITRE ATT&CK principal T1046 51 occurrences

Activité suspecte — risque 42/100 (Moyen) — MITRE T1046 — confiance 100 % — via HTTP — multi-protocole (2 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +18

Comparaison ASN / FAI

ASN 46606 · 162.240.0.0/15 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 102 événements sur la période pour cette IP.

162.214.99.34 Sonde port 14/06/2026 16:26 UTC
162.241.204.149 Bruteforce SSH 01/05/2026 16:25 UTC
162.215.1.156 Bruteforce SSH 01/05/2026 13:20 UTC
162.240.173.11 bruteforce burst 01/05/2026 01:00 UTC
162.144.66.194 bruteforce burst 30/04/2026 14:28 UTC
162.214.130.225 Bruteforce SSH 30/04/2026 10:32 UTC
162.215.135.80 mssql attack 01/04/2026 17:49 UTC
162.240.54.168 Sonde SSH 02/03/2026 23:45 UTC

Événements (filtres)

102

Première observation

16/05/2026 10:16 UTC

Dernière observation

17/06/2026 07:03 UTC

Dernière activité (filtres)

17/06/2026 07:03 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 87 VMWARE AUTH TCP 15

HTTP

VMWARE AUTH

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Unified Layer 1 Port 8910 minecraft_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via HTTP:6602 · (reconnaissance) · → /port

Détails protocole

Méthode: GET
Chemin: /port

Aperçu payload

GET /port?65001 HTTP/1.1 �A

Port / service

6602 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 100 % — 3 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +18

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

102 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

102 événement(s) — page 1/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 07:03:45 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.87, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 07:03:43 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.08, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
17/06/2026 07:03:42 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.24, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 07:03:41 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.27, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
17/06/2026 07:03:40 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 07:03:39 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 04:21:47 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.85, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 04:21:44 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.1, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
17/06/2026 04:21:43 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.3, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 04:21:42 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.35, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
17/06/2026 04:21:41 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 04:21:40 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 03:32:25 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.85, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 03:32:22 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.08, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
17/06/2026 03:32:21 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.31, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 03:32:20 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.36, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
17/06/2026 03:32:19 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
17/06/2026 03:32:18 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 20:28:19 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.83, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 20:28:17 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.15, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
16/06/2026 20:28:15 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.47, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
16/06/2026 20:28:15 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.4, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 20:28:14 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 20:28:12 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 05:53:48 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.83, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 05:53:46 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.04, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
16/06/2026 05:53:44 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.23, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 05:53:43 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
16/06/2026 05:53:43 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.26, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
16/06/2026 05:53:41 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
14/06/2026 16:27:28 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 0.72, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
14/06/2026 16:27:26 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 5, "scan_velocity_ports_per_s": 1.07, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
14/06/2026 16:27:24 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.37, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
14/06/2026 16:27:23 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
14/06/2026 16:27:23 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.47, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
14/06/2026 16:27:21 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 19:47:12 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775 ], "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 19:47:12 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 6602, 8910, 9939 ], "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 19:47:06 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Sonde VMware vCenter vmware vcenter probe · via VMWARE AUTH:902 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « vmware_vcenter_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab vmware_vcenter_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 45, "correlation_boost": 8 }, "service_name": "vmware-auth", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "9893f4639c0ab442a649ec648b889bad" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab vmware_vcenter_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "645a23fb4fa6edd0d48731a31b4b81cd20356620", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "vmware vcenter probe \u00b7 via VMWARE AUTH:902 \u00b7 (sonde \/ probe)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab vmware_vcenter_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab vmware_vcenter_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 45, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "vmware vcenter probe \u00b7 via VMWARE AUTH:902 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
08/06/2026 19:47:06 UTC	TCP	8910 · HTTP	http	Scan de ports port scan syn · via HTTP:8910 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "30f421c36651352c35d95551c683951ab9a94f14", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:8910 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8910 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.02, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 19:47:04 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 15:38:27 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 15:38:24 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.11, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }
08/06/2026 15:38:22 UTC	TCP	17775 · HTTP	http	Scan de ports port scan syn · via HTTP:17775 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 17775 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 17775, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "73fd0356cfbf11d6baa32c94fae99d190c15b59e", "event_fingerprint": "243c831d20286bccd6a37bb190c546278d521a78", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 17775, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e89badb607fb5e33759190b3e23d02a6b21ec6e", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 17775, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 17775, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:17775 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "17775 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "17775" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 4, "port_scan_ports_sample": [ 902, 8910, 9939, 17775 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 1.18, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 15:38:21 UTC	TCP	902 · VMWARE AUTH	vmware-auth	Scan de ports port scan syn · via VMWARE AUTH:902 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur VMWARE-AUTH WAF — Recommandation Surveiller Tags http_get_probe net_vmware_vcenter_probe vmware_vcenter_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 902 Chemin / cible — Service VMWARE AUTH Payload GET /port?65001 HTTP/1.1 �A Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +12 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420766d776172655f6175746820726561647920706f72743d3930320d0a", "emulator_response_len": 41, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "well_known", "org": "Unified Layer", "service": "vmware-auth", "app_proto": "vmware-auth", "asn": 46606, "country": "US", "dst_port": 902, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "36512330d5f87d2eec1d94aacbb1e58a15f81f92", "event_fingerprint": "e71dbd303d193d420c1b70937592f6c8d2b42f50", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 231, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "named_classification_skipped": false, "service_name": "vmware-auth", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 902, "service": "vmware-auth", "service_name": "vmware-auth", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2faf6c353502f80ef8bb44ff70c33715cf940d6", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via VMWARE AUTH \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 0, "risk_score": 42, "correlation_boost": 12 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "vmware-auth", "service_label_fr": "VMWARE AUTH", "dst_port": 902, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-vmware-auth", "correlation_flags": [ "scan_rapide", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +12", "protocol_details": { "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "port": 902, "service": "vmware-auth", "service_label_fr": "VMWARE AUTH" }, "attack_vector": "port scan syn \u00b7 via VMWARE AUTH:902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "902 \u00b7 VMWARE AUTH", "emulator_service": "vmware-auth", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "vmware_auth", "service_banner": "honeypot-vmware-auth", "service_os": "linux", "dst_port": "902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "rapid_port_scan": true, "rapid_scan_distinct_ports": 3, "scan_velocity_ports_per_s": 1.21, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 12, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_vmware_vcenter_probe", "vmware_vcenter_probe" ] }
08/06/2026 15:38:20 UTC	TCP	9939 · HTTP	http	minecraft probe minecraft probe · via HTTP:9939 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9939 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 9939, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8217ab65b5a132d4d9c4022502400f2f915bd9e3", "event_fingerprint": "7799137bd6663408175cf1359a181d4009fd475c", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 9939, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6830b157c4467270615d3e6d237aff4b927e6260", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9939, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 9939, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:9939 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "9939 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9939" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 15:38:18 UTC	TCP	8910 · HTTP	http	minecraft probe minecraft probe · via HTTP:8910 · (sonde / probe) · → /port	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8910 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « minecraft_probe » (signaux protocolaires) · confiance 42% Confiance classification 42% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 42 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 8910, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "039c40a6cd7fe99a2f61bdc1b435391297e97ff5", "event_fingerprint": "82820c76a4d8554e2003f1a870123e546aa42e0a", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "confidence": 0.42, "classification_confidence": 0.42, "precision_score": 50, "precision_signals": [ "pat-0554" ], "kb_rule_ids": [ "pat-0554" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 42, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 8910, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "game_server_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5229b392e46d968709b4a0f82a672d658d90af2b", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "classification_reason_label_fr": "Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 42%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 42, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8910, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 8910, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "minecraft probe \u00b7 via HTTP:8910 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "8910 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 42 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 42 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8910" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 13:57:04 UTC	TCP	12427 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:12427 · (tentative d'exploit)	Élevée	Élevé · 75
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST / UA Mozilla/5.0 Émulateur HTTP WAF 42 Recommandation Investiguer Tags 950019:sqli-4 950326:rce-0 950327:rce-0 950335:rce-2 Cible HTTP POST / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 12427 Chemin / cible / Service HTTP Pourquoi cette classification : Injection commande dans la requête · confiance 95% Confiance classification 95% Risque capteur Élevé · 75 Confiance : Confiance 95 % — Motif catalogue confirmé · 7 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL Ligne de requête `POST / HTTP/1.1` User-Agent Mozilla/5.0 Règles WAF sqli-4 rce-0 rce-2 proto-0 upload-0 sap-sapcontrol-path Payload (extrait) POST / HTTP/1.1 Host: 62.3.50.33:12427 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: / Connection: keep- Requête brute (extrait) POST / HTTP/1.1 Host: 62.3.50.33:12427 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive Next-Action: x Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Length: 839 Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "82aa6a482bd276cff149740478a603a5fe834840", "http_host_hash": "cfb87e98b272f9267d71ec9321806fff7661f934", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 1097, "payload_entropy": 5.650911612430428, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 12427, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 10, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 75, "tag_count": 12, "anomaly_count": 0, "campaign_key": "8dc9eb821388727dff2eae7a475f256f1843478d", "event_fingerprint": "1ec57b55c04f8c439863ca39c6c92a1ecd376e90", "classification_reason": "Injection commande dans la requ\u00eate \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842" ], "matched_pattern_names": [ "CRS 921130 duplicate CL" ], "pattern_ids": [ "pat-0842" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1066b48224bb188ceb955605f4fcff98", "payload_hash": "8a3c7bed79515cfd9eb355121737b256", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 12427, "service": "http", "service_name": "http", "risk_score": 75 }, "payload_preview": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-", "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\nNext-Action: x\r\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Length: 839\r\n", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-", "evidence": { "method": "POST", "path": "\/", "user_agent": "Mozilla\/5.0", "waf_tags": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-4", "rce-0", "rce-2", "proto-0", "upload-0", "sap-sapcontrol-path" ], "request_line": "POST \/ HTTP\/1.1", "request_sample": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-alive\r\nNext-Action: x\r\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\nContent-Length: 839\r\n", "payload_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-", "classification_reason": "Injection commande dans la requ\u00eate \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f1291f188584f717fe268d176afb82700192bb1c", "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0", "port": 12427, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-", "attack_vector": "http smuggling probe \u00b7 via HTTP:12427 \u00b7 (tentative d'exploit)", "target_port_label": "12427 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 7 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Injection commande dans la requ\u00eate \u00b7 confiance 95%", "classification_reason_label_fr": "Injection commande dans la requ\u00eate \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 75\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 75 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 75, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 12427, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/", "request_line": "POST \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0", "port": 12427, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:12427 \u00b7 (tentative d'exploit)", "evidence_snippet": "POST \/ HTTP\/1.1\r\nHost: 62.3.50.33:12427\r\nUser-Agent: Mozilla\/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: \/\r\nConnection: keep-", "target_port_label": "12427 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 7 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 7 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "12427" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950019:sqli-4", "950326:rce-0", "950327:rce-0", "950335:rce-2", "950493:proto-0", "950549:upload-0", "950734:sap-sapcontrol-path", "http_cmd_injection", "http_contenttype_attack_surface", "http_jwt_body", "http_prototype_pollution", "http_ssti" ] }
08/06/2026 13:10:09 UTC	TCP	6602 · HTTP	http	Scan de ports port scan syn · via HTTP:6602 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6602 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +14 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 6602, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "0186e79606e757b00b1f42230db17e84abe0cf95", "event_fingerprint": "ed4d669efb455869ff8c13f22b543fbd1af9949d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 6602, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e884d9de10e02c46151748caff290bee7124d00", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 0, "risk_score": 42, "correlation_boost": 14 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6602, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +14", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 6602, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:6602 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "6602 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +14", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6602" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 6, "port_scan_ports_sample": [ 902, 6602, 8910, 9939, 17775, 28017 ], "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "multi_protocol_correlation" ], "correlation_confidence_boost": 14, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua" ] }
08/06/2026 13:10:06 UTC	TCP	28017 · HTTP	http	Scan de ports port scan syn · via HTTP:28017 · (reconnaissance) · → /port	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET /port Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_body_with_get http_missing_host http_no_ua net_web_probe Cible HTTP GET /port TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 28017 Chemin / cible /port Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +18 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Minecraft varint handshake Ligne de requête `GET /port?65001 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) GET /port?65001 HTTP/1.1 �A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 0, "http_query_params": 1, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "40b0968f200115ecf4af66995dcab94372fb0644", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 40, "payload_entropy": 4.234183719779188, "port_category": "registered", "org": "Unified Layer", "service": "http", "app_proto": "http", "asn": 46606, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c77418c0bf3d473eac99ac9ff07d28bf1709ad07", "event_fingerprint": "5d1738688fffc6d7f794db28326d6ea2ac394f5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0554" ], "matched_pattern_names": [ "Minecraft varint handshake" ], "pattern_ids": [ "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 46606, "org": "Unified Layer", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4c714da90d8f5519e78ee29a8d515480", "path_pattern_hash": "607c2619f4de6fb0866479f864787fec" }, "target_context": { "dst_port": 28017, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "evidence": { "method": "GET", "path": "\/port", "query_string": "65001", "request_line": "GET \/port?65001 HTTP\/1.1", "request_sample": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "payload_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\u000f\u0001\u0000\u0000\ufffd\u0000\u0000\u0000A\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ec1ba52c1ff3c192d2e346d01d9274d14c1c793", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 0, "risk_score": 42, "correlation_boost": 18 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "http_method": "GET", "http_path": "\/port", "request_line": "GET \/port?65001 HTTP\/1.1", "port": 28017, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:28017 \u00b7 (reconnaissance) \u00b7 \u2192 \/port", "evidence_snippet": "GET \/port?65001 HTTP\/1.1\r\n\r\n\ufffdA", "target_port_label": "28017 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 5, "port_scan_ports_sample": [ 902, 8910, 9939, 17775, 28017 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 4, "scan_velocity_ports_per_s": 0.9, "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "vmware-auth" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_body_with_get", "http_missing_host", "http_no_ua", "net_web_probe" ] }

162.240.226.121

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence