Méthode
—
Port
12345
Chemin / cible
—
Service
NETBUS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:12345 User-Agent: Mozilla/5.0 zgrab/0.x Accept: */* Accept-Encoding: gzip
Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0594
pat-0458
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
ET zgrab fingerprint
UA zgrab
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12345
User-Agent: Mozilla/5.0 zgrab/0.x
Accept: */*
Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e657462757320726561647920706f72743d31323334350d0a",
"emulator_response_len": 38,
"bytes_in": 113,
"payload_entropy": 5.063023157881302,
"port_category": "registered",
"org": "Above Bar Cyber Limited",
"service": "netbus",
"app_proto": "netbus",
"asn": 214285,
"country": "FR",
"dst_port": 12345,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2a8591f17a74cbf579eca5d57133d975e28026dd",
"event_fingerprint": "4e74698fe2fcb538405d3ea87b5725c2dd122d5d",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 108,
"precision_signals": [
"pat-0594",
"pat-0458"
],
"kb_rule_ids": [
"pat-0594",
"pat-0458"
],
"matched_patterns": [
"pat-0594",
"pat-0458"
],
"matched_pattern_names": [
"ET zgrab fingerprint",
"UA zgrab"
],
"pattern_ids": [
"pat-0594",
"pat-0458"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 48
},
"named_classification_skipped": false,
"classification_parent": "vuln_scanner",
"service_name": "netbus",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "FR",
"asn": 214285,
"org": "Above Bar Cyber Limited",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f9e5eec195dc4f0a6feb970b136ed9d9",
"path_pattern_hash": "b71c8aad2b015494f15e7bb035951b05"
},
"target_context": {
"dst_port": 12345,
"service": "netbus",
"service_name": "netbus",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d0d571d6a2f8db592f83300fc651d1b966b980a6",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 12345,
"service": "netbus",
"service_label_fr": "NETBUS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"attack_vector": "scanner vuln \u00b7 via NETBUS:12345 \u00b7 (sonde \/ probe)",
"target_port_label": "12345 \u00b7 NETBUS",
"emulator_service": "netbus",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 15,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "netbus",
"service_label_fr": "NETBUS",
"dst_port": 12345,
"protocol_emulated": true,
"tags_summary": [
"pat-0594",
"pat-0458"
],
"tags_summary_labels_fr": [
"pat-0594",
"pat-0458"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-netbus",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"port": 12345,
"service": "netbus",
"service_label_fr": "NETBUS"
},
"attack_vector": "scanner vuln \u00b7 via NETBUS:12345 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Mozilla\/5.0 zgrab\/0.x\r\nAccept: *\/*\r\nAccept-Encoding: gzip",
"target_port_label": "12345 \u00b7 NETBUS",
"emulator_service": "netbus",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "netbus",
"service_banner": "honeypot-netbus",
"service_os": "linux",
"dst_port": "12345"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_mozi_pattern"
]
}
|