Renseignement sur les menaces

Indonésie

163.7.3.220

FAI Byteplus Pte. Ltd. Première vue 08/06/2026 06:45 UTC Dernière vue 08/06/2026 14:45 UTC Risque Moyen

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte · risque 38/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 62/100 Moyen

Première observation 08/06/2026 06:45 UTC

Dernière observation 08/06/2026 14:45 UTC

Événements (période) 133

MITRE ATT&CK principal T1499 40 occurrences

Activité suspecte · risque 38/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_20201_tcp » (signaux protocolaires) · confiance 55%

Confiance 63 % — Score WAF 32 · Bonus corrélation +8 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 150436 · 163.7.0.0/21 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 133 événements sur la période pour cette IP.

101.47.27.73 Sonde SSH 19/06/2026 12:00 UTC
163.7.11.155 Sonde SSH 18/06/2026 22:47 UTC
101.47.15.119 Sonde port 23/TCP 18/06/2026 11:43 UTC
163.7.9.84 Sonde SSH 17/06/2026 09:02 UTC
163.7.10.112 Sonde SSH 17/06/2026 00:59 UTC
69.5.20.93 Sonde PostgreSQL 16/06/2026 03:31 UTC
101.47.158.137 Sonde port 23/TCP 16/06/2026 02:33 UTC
163.7.3.154 Sonde SSH 15/06/2026 09:46 UTC

Événements (filtres)

133

Première observation

08/06/2026 06:45 UTC

Dernière observation

08/06/2026 14:45 UTC

Dernière activité (filtres)

08/06/2026 14:45 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

—

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 130 TLS TCP 2 ORACLE EM TCP 1

HTTP

130

TLS

ORACLE EM

Géolocalisation

Origine réseau déclarée

Indonésie unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Byteplus Pte. Ltd. 0 Port 20201 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 20201 tcp · via HTTP:20201 · (sonde / probe)

Détails protocole

Méthode: GET
Chemin: /
User-Agent: curl/7.68.0

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: curl/7.68.0 Accept: */* Accept-Encoding: gzip Connection: close

Port / service

20201 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

63% Corrélation +8

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

133 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

133 événement(s) — page 1/3

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
08/06/2026 14:45:32 UTC	TCP	20201 · HTTP	http	SSRF interne ssrf internal · via HTTP:20201 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20201 Chemin / cible / Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/12 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.268987453164615, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ac0b0263ab00d2d3960442ec33c339cfc96233e2", "event_fingerprint": "e411e573f5c716405f0435932e9eb32a089e26c4", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "42da60b66daf7ea37b36629eed584941", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20201, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8fc7a984317d117b28ce0a8153199ae3fdfe401", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "attack_vector": "ssrf internal \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20201, "protocol_emulated": null, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 14:45:32 UTC	TCP	20201 · HTTP	http	Sonde port 20201/TCP port 20201 tcp · via HTTP:20201 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20201 Chemin / cible / Preuve honeypot — Sonde port 20201/TCP Connexion détectée sur le port 20201 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_20201_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: curl/7.68.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 122, "payload_entropy": 4.955271584703359, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 20 }, "risk_score": 38, "tag_count": 4, "anomaly_count": 1, "campaign_key": "c3c7ace4433dbb892915d7eca68408327d7a3fed", "event_fingerprint": "ca007e1c2aea30a94607e3e2737c39abafbea8fe", "classification_reason": "Type \u00ab port_20201_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "4ceb74acfc3404cc21db5570b094fb04", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20201, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab port_20201_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8f22d8ef30f370aff639a04ee068def319d00f5c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "port 20201 tcp \u00b7 via HTTP:20201 \u00b7 (sonde \/ probe)", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_20201_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_20201_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 20, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20201, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 20201 tcp \u00b7 via HTTP:20201 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 84 }
08/06/2026 14:45:31 UTC	TCP	20201 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:20201 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20201 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/1 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/json,/ Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 218, "payload_entropy": 5.2434171900899775, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ac0b0263ab00d2d3960442ec33c339cfc96233e2", "event_fingerprint": "e411e573f5c716405f0435932e9eb32a089e26c4", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "826c0aafcece11c11e224da70f8ef4ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20201, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/1", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: text\/html,application\/json,\/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/1", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: text\/html,application\/json,\/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/1", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2c4501c3aad77b9477280ba19059714e67f55a45", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/1", "attack_vector": "exploit attempt \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20201, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/1", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 14:45:31 UTC	TCP	20201 · HTTP	http	SSRF interne ssrf internal · via HTTP:20201 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20201 Chemin / cible / Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/12 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: application/json Content-Type: application/json Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.210633031380557, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ac0b0263ab00d2d3960442ec33c339cfc96233e2", "event_fingerprint": "e411e573f5c716405f0435932e9eb32a089e26c4", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "1931a4202f2e76976fd0b51342483f5a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20201, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: application\/json\r\nContent-Type: application\/json\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: application\/json\r\nContent-Type: application\/json\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d62703ac92ff3ece5a8ed2587a75f602e8fed12f", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "attack_vector": "ssrf internal \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20201, "protocol_emulated": null, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/12", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 14:45:30 UTC	TCP	20201 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:20201 · (sonde / probe)	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 2196848d251b217d Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 20201 Chemin / cible — Service TLS Payload ��5�rxm,�Ԙ� ��)��t��,��ѣ ��_��p�eV/�FX��s {8��Z3�z[��+�/�,�0̨̩� �� [ � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��5�rxm,�Ԙ� ��)��t��,��ѣ ��_��p�eV/�FX��s{8��Z3�z[��+�/�,�0̨̩� �� [� Requête brute (extrait) ��5�rxm,�Ԙ� ��)��t��,��ѣ ��_��p�eV/�FX��s {8��Z3�z[��+�/�,�0̨̩� �� [ � � 2+3��XD�L��.�i�!�T�.��M��ä�ddu Meta JSON brut { "tls_ja3_hash": "2196848d251b217de8b2c037e356c11d", "tls_sni": null, "bytes_in": 1479, "payload_entropy": 7.704225250098412, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "tls", "app_proto": "tls", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "bdce99871bf97222954999d190b2a9a106fb550d", "event_fingerprint": "3c7a669d927926dd057cf4c67f6d943dc79b58a8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "2196848d251b217de8b2c037e356c11d", "payload_hash": "df2f85a829e8a0409fc20132f93179a6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 20201, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd5\u0006\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\u0004\ufffd)\ufffd\u001f\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\u0010\ufffds\u000b{8\ufffd\ufffdZ3\ufffdz[\ufffd\u001a\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd5\u0006\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\u0004\ufffd)\ufffd\u001f\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\u0010\ufffds\u000b{8\ufffd\ufffdZ3\ufffdz[\ufffd\u001a\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0006\ufffdXD\ufffdL\ufffd\ufffd.\ufffdi\ufffd!\ufffdT\ufffd\u0000.\ufffd\ufffdM\ufffd\ufffd\u00e4\ufffdddu", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd5\u0006\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\u0004\ufffd)\ufffd\u001f\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\u0010\ufffds\u000b{8\ufffd\ufffdZ3\ufffdz[\ufffd\u001a\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c97b188fcd9604632fce5c8e8f604548dd18cedc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd5\u0006\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\u0004\ufffd)\ufffd\u001f\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\u0010\ufffds\u000b{8\ufffd\ufffdZ3\ufffdz[\ufffd\u001a\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "2196848d251b217de8b2c037e356c11d", "port": 20201, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd5\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\ufffds{8\ufffd\ufffdZ3\ufffdz[\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:20201 \u00b7 (sonde \/ probe)", "target_port_label": "20201 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 20201, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd5\u0006\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\u0004\ufffd)\ufffd\u001f\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\u0010\ufffds\u000b{8\ufffd\ufffdZ3\ufffdz[\ufffd\u001a\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005[\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "2196848d251b217de8b2c037e356c11d", "port": 20201, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:20201 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd5\ufffdrxm,\ufffd\u0518\ufffd\r\ufffd\ufffd)\ufffd\ufffd\ufffd\ufffdt\ufffd\ufffd,\ufffd\ufffd\u0463 \ufffd\ufffd\ufffd_\ufffd\ufffdp\ufffdeV\/\ufffdFX\ufffd\ufffd\ufffds{8\ufffd\ufffdZ3\ufffdz[\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd[\ufffd", "target_port_label": "20201 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni" ] }
08/06/2026 14:45:30 UTC	TCP	20201 · HTTP	http	SSRF ssrf attack · via HTTP:20201 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 15 Recommandation Surveiller Tags 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20201 Chemin / cible / Service HTTP Pourquoi cette classification : Règle WAF « ssrf-3 » · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 48 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Conn Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:20201 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "32f9bccd1079f462d85a1b757c38a4457ac3a7ce", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 145, "payload_entropy": 4.995740252250288, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 20201, "risk_waf": 68, "risk_classification": 84, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 68, "classification": 84, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ac5267740c3fd17abc3c9c2e96bd95bd1da7d193", "event_fingerprint": "4a2ae67abbf55b8fecf81ae748624de488afd548", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 68, "classification": 84, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "7e43cbe83a04b3a931335eed0034603b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 20201, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConn", "method": "GET", "path": "\/", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConn", "evidence": { "method": "GET", "path": "\/", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConn", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ssrf_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0fd179b5763dcf54faf50a462729930f61c900f9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConn", "attack_vector": "ssrf attack \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 68, "classification": 84, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 20201, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 20201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf attack \u00b7 via HTTP:20201 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:20201\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConn", "target_port_label": "20201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 68 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "20201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /assets/js/app.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/app.js.map UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /assets/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /assets/js/app.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /assets/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /assets/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "c9a32c0ceb63a765f32078995ff8992423e600f1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 227, "payload_entropy": 5.2983120572395705, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7440a7a221b7dce7174a689ff6f06e6f3bb4dd87", "event_fingerprint": "9489e5b889de549cc1dbbe76cf24df1f474b8747", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "54ddde45c045fa5de0dcd422a5d4e526", "path_pattern_hash": "1d8667fd3f310a7393945815a244dbc9" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/assets\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/assets\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36d58f3f5e37396489ab47055d3d7b83fed9a64b", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js.map", "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js.map", "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js.map", "evidence_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/main.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/main.js.map UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/main.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/main.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/main.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/main.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck Requête brute (extrait) GET /static/js/main.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "e0d6e12dbc1c8809c842f3499e03cbce22fa872f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.260600377722974, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "db4c23ab4f5eedd9dd028006b67e6bfef8cd7f57", "event_fingerprint": "13868b0b8ecc8bca28d9ed27402def4c301a320b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "e7f9ca6477bc0bb7ace942070dca6c8e", "path_pattern_hash": "5e2df47bb80a14a3a8fb72ed2c567f03" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck", "method": "GET", "path": "\/static\/js\/main.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck", "evidence": { "method": "GET", "path": "\/static\/js\/main.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b7b0de99f6533e5c1c9ad2a1e491ee1025dc794", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js.map", "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js.map", "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js.map", "evidence_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Geck", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/config.js.map	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/config.js.map UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/config.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/config.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /js/config.js.map HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /js/config.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Requête brute (extrait) GET /js/config.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "map", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "79df73281f9bce961b0aaa25a26522429c228858", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 173, "payload_entropy": 5.097490979207422, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "dbc835f2720309b43b0f0a230ec424923c522b04", "event_fingerprint": "96a51892888362d10a0886ad3e914e567c3b2729", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "dcde099e92e9f95a3cad7b1562cbd2b6", "path_pattern_hash": "ef4f0da8cff8c8c8afcf5b637f23c23b" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r", "method": "GET", "path": "\/js\/config.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/config.js.map HTTP\/1.1", "request_sample": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/js\/config.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/config.js.map HTTP\/1.1", "request_sample": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0502de6f2ec167f4046867593eb80a4bba3d8402", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js.map", "request_line": "GET \/js\/config.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js.map", "request_line": "GET \/js\/config.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js.map", "evidence_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/app.js.map	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/app.js.map UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /js/app.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. Requête brute (extrait) GET /js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "map", "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "6ca7b2b86a32a17742236847cf98af9056502011", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 220, "payload_entropy": 5.314775680864177, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "df1a4d5d347c14576809398ff8960ca9540a1cd0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "f7245a147158dae571e62fc18d829870", "path_pattern_hash": "4a0a22035e7129ef0cc484f8528486c6" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "method": "GET", "path": "\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9284e4ae9f2dad0472ebcf8c91f9865b963ba7d4", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js.map", "request_line": "GET \/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js.map", "request_line": "GET \/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js.map", "evidence_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /bundle.js.map	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bundle.js.map UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /bundle.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /bundle.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bundle.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bundle.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/201001 Requête brute (extrait) GET /bundle.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "map", "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "4a6d501faa5d3eb0e83b6a1c50d62de04a1ec928", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 203, "payload_entropy": 5.292363032438943, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "30140dc19c58a9d83bf8bfee91bb9ddf06c23dcb", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "84bc7374014e46e47302f4ff1975e763", "path_pattern_hash": "6c3dca9a74dbc60aee09972b60d7b1f5" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201001", "method": "GET", "path": "\/bundle.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js.map HTTP\/1.1", "request_sample": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201001", "evidence": { "method": "GET", "path": "\/bundle.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js.map HTTP\/1.1", "request_sample": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201001", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c68f6c5c4f4869f2c860db6d055046be1759b9b3", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js.map", "request_line": "GET \/bundle.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201001", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js.map", "request_line": "GET \/bundle.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js.map", "evidence_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201001", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:03 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /dist/js/app.js.map	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /dist/js/app.js.map UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /dist/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /dist/js/app.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /dist/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /dist/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "f32cea479e784489678c6dd0ff2e46c0f0aea6f0", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "f147181f5a257cd496459a509a6c9cb31901cb8d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 219, "payload_entropy": 5.30420273976127, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "64687e0debecbd70e97bde3cf1bc879e5ea76f73", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "68152b53bdbc42efab93e1a65aa43b12", "payload_hash": "8f5e763d4367f50016ae63ad649ffeaf", "path_pattern_hash": "7241176cd38199c21a82e92f755bc37b" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/dist\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/dist\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "378e92a3fcd68da486077ac5be9e2f7341637bf8", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js.map", "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js.map", "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js.map", "evidence_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /terraform.tfvars	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /terraform.tfvars UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfvars TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /terraform.tfvars Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /terraform.tfvars HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /terraform.tfvars HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/201 Requête brute (extrait) GET /terraform.tfvars HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "tfvars", "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "682535af91f368f38ffc4bf792acea52986ab2a4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.257436090148263, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "2790e22a7a5bdda7a99284f708424c00bcb73089", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "f2ce71348df86a230bb56e792c700c21", "path_pattern_hash": "2c4bcdd4dd35b049645b423cf6d4c39f" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201", "method": "GET", "path": "\/terraform.tfvars", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfvars HTTP\/1.1", "request_sample": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201", "evidence": { "method": "GET", "path": "\/terraform.tfvars", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/terraform.tfvars HTTP\/1.1", "request_sample": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a79c344d8499253dc3ad856a36cb7db1640a700a", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfvars", "request_line": "GET \/terraform.tfvars HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/terraform.tfvars", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfvars", "request_line": "GET \/terraform.tfvars HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/terraform.tfvars", "evidence_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/201", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /dist/js/app.js	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /dist/js/app.js UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /dist/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /dist/js/app.js HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /dist/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / A Requête brute (extrait) GET /dist/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "faee33e43c7a7b20bc3162b1910a5f08627cc973", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 171, "payload_entropy": 5.0895188819689565, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "dbc835f2720309b43b0f0a230ec424923c522b04", "event_fingerprint": "e0776ad9dafab2530e5a1989de475fa7f7e89f67", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "54c4a194754c186b9d982bb341a9c884", "path_pattern_hash": "1b85e9f24274ccd77769e12b6e295d9e" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nA", "method": "GET", "path": "\/dist\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nA", "evidence": { "method": "GET", "path": "\/dist\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nA", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d3a72a4be2e06c8c08a958073533af9a0ef911e", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js", "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nA", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js", "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js", "evidence_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nA", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/main.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/main.js UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950406:ssrf-3 950468:nosqli-3 Cible HTTP GET /static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/main.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 5 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /static/js/main.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.c Requête brute (extrait) GET /static/js/main.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "fc1209930d53479f9de40769306d0e03c0e12113", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.138495631732375, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 7, "anomaly_count": 0, "campaign_key": "77d390b52ab9ae3d2bded485df4427f049bd4098", "event_fingerprint": "71b5415eb6e14db526ce5b0808fc3330947f33b3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "cc54ad14503fdb31a96fff08a49d9812", "path_pattern_hash": "d7eccad93f9f7ba9883784f3d98302b8" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "evidence": { "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7377159de7d1ce2f7b1459c88ccfe718a0cad700", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /docker-compose.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /docker-compose.yml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /docker-compose.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Probe /docker-compose.yml Ligne de requête `GET /docker-compose.yml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /docker-compose.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit Requête brute (extrait) GET /docker-compose.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "284ed5c0f139fefe102f54c41fbd64a2a9a5ffd9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.329623735130769, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "57083b95ba6d740665b733c7171add6d503aa95b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324", "pat-0251" ], "matched_pattern_names": [ "SSRF Any-address SSRF", "Probe \/docker-compose.yml" ], "pattern_ids": [ "pat-0324", "pat-0251" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "c2e8dd5c8a9e7091c82f31086ccbe205", "path_pattern_hash": "96d32e90d2f8019607590c30e27c0bff" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit", "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit", "evidence": { "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17a8b3e7807ccc72117b57fd412651d3f840d1b8", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yml", "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/app.js	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/app.js UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /js/app.js HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Accept Requête brute (extrait) GET /js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "a22d1d868692973288e25c89f766247feac6353d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 166, "payload_entropy": 5.088075501636365, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "dbc835f2720309b43b0f0a230ec424923c522b04", "event_fingerprint": "a7cfe32e49ad12c7ef3664e5ecf58661a8d4d347", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "6ab89d7ced2def0df924fe885b6e2c68", "path_pattern_hash": "de7fe7d5b9603182c141cba6f00e2511" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept", "method": "GET", "path": "\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept", "evidence": { "method": "GET", "path": "\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e0e94bdffaa3a6c9942aed484fbf4abea81b5a72", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /bundle.js	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bundle.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /bundle.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bundle.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /bundle.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 F Requête brute (extrait) GET /bundle.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "5c28bc6707fadbc1c6dacdabca89ac4afb276d6a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.265878755368996, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "5072e5ee43ca5736316dbdbbd79da2ec20316202", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "8fc7d7e44aec6675727c67637721f44a", "path_pattern_hash": "59bff92e27ba3df61892a035edfe8dbf" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 F", "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 F", "evidence": { "method": "GET", "path": "\/bundle.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 F", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1347c4ed179cca054bc6811da4d4d4298cfc89e5", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 F", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 F", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA python-requests/2.28.0 Émulateur HTTP WAF 9 Recommandation Investiguer Tags 950468:nosqli-3 scanner-ua anomaly:scanner-ua http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF nosqli-3 scanner-ua Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept: / Accept-Encod Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 160, "payload_entropy": 5.18452582739751, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 44, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 44, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 51, "tag_count": 6, "anomaly_count": 1, "campaign_key": "2aee2080db80c025cc623d77ff690610efcd9f62", "event_fingerprint": "129fb91f592320c474f138dba38c7cf4964d789a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 44, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "2af27b209d005ca3e695835a827f0eb8", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encod", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "nosqli-3", "scanner-ua" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encod", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "nosqli-3", "scanner-ua" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encod", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "06c989f3cba904273d0a7350d512a1c351d5ab24", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encod", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 44, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encod", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950468:nosqli-3", "anomaly:scanner-ua", "http_sensitive_path", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/app.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/app.js.map UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /static/js/app.js.map HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /static/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-E Requête brute (extrait) GET /static/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "db1696464f82d3203ed921e4de7fbaab3515069e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 164, "payload_entropy": 5.07956484201532, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "25fb5ec29c1f0f01908982a54283c74c239fc9f7", "event_fingerprint": "8daeda9d30a8c27bc8db5cfc11562d28ecd1c837", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "df0f0d987ff6b178b10542a2e3b0cbab", "path_pattern_hash": "8f9730f30c446a4942d7bb1adf841a4a" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "method": "GET", "path": "\/static\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "evidence": { "method": "GET", "path": "\/static\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e635280eb65771bce99f1c5640b4e4ea0af7a55", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js.map", "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js.map", "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js.map", "evidence_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /.gitlab-ci.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.gitlab-ci.yml UA python-requests/2.28.0 Émulateur HTTP WAF 3 Recommandation Investiguer Tags scanner-ua anomaly:scanner-ua http_sensitive_path http_ua_suspicious Cible HTTP GET /.gitlab-ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /.gitlab-ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitlab-ci.yml HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF scanner-ua Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept: / Accept-Encoding: gzip Con Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "438af05b92495206533fc223d46e511d40c32485", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 146, "payload_entropy": 5.108562101456768, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 1, "campaign_key": "b6367663eb07e1f3f38e09b349ef8a19ed6f72ff", "event_fingerprint": "fe4e431a54855a388853454d7fb0cda8ce7c0888", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "f7610254db56a6487292924eca53e5ae", "path_pattern_hash": "1c248e6546ed96558dfcda198b4e61ef" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nCon", "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nCon", "evidence": { "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nCon", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13de7eba73463469c9fd2265789bef4d0fcd7a22", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nCon", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nCon", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "anomaly:scanner-ua", "http_sensitive_path", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/config.js	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/config.js UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950406:ssrf-3 950468:nosqli-3 Cible HTTP GET /js/config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 5 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /js/config.js HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /js/config.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bo Requête brute (extrait) GET /js/config.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "f5afc629ed7fb6b21acd96102b14535f7eccb6cd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 194, "payload_entropy": 5.153825794226707, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 6, "anomaly_count": 0, "campaign_key": "ff07eea3f1d14f021ff9331e92328d64d9e737b9", "event_fingerprint": "d75b7e54f5f6dad266fe20f5f81256ed3dfdd134", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "b1e25479bf4af224af45d6da720e5fff", "path_pattern_hash": "31cba546269a313085e31a4b0b460574" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bo", "method": "GET", "path": "\/js\/config.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/config.js HTTP\/1.1", "request_sample": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bo", "evidence": { "method": "GET", "path": "\/js\/config.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/js\/config.js HTTP\/1.1", "request_sample": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bo", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7fa8c8c3fa55a6b2a424f076d9aee9884abc63a6", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js", "request_line": "GET \/js\/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bo", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js", "request_line": "GET \/js\/config.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js", "evidence_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bo", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /assets/js/app.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/app.js.map UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /assets/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /assets/js/app.js.map HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /assets/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-E Requête brute (extrait) GET /assets/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "c9a32c0ceb63a765f32078995ff8992423e600f1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 164, "payload_entropy": 5.0757998923981225, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a538800e22833e6c613206a47c0671cf0cf1ce81", "event_fingerprint": "9489e5b889de549cc1dbbe76cf24df1f474b8747", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "40f15e57032a3abcbdfaa8e45564a117", "path_pattern_hash": "1d8667fd3f310a7393945815a244dbc9" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "method": "GET", "path": "\/assets\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "evidence": { "method": "GET", "path": "\/assets\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "35a18e88b527310c25fd7bf189b8bbcb23c01dc0", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js.map", "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js.map", "request_line": "GET \/assets\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js.map", "evidence_snippet": "GET \/assets\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-E", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /dist/js/app.js.map	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /dist/js/app.js.map UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /dist/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /dist/js/app.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /dist/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3 Requête brute (extrait) GET /dist/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "f32cea479e784489678c6dd0ff2e46c0f0aea6f0", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "f147181f5a257cd496459a509a6c9cb31901cb8d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.294567560726245, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "64687e0debecbd70e97bde3cf1bc879e5ea76f73", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "68152b53bdbc42efab93e1a65aa43b12", "payload_hash": "9b43adbed0dfa1bff3385467a4bd9ad1", "path_pattern_hash": "7241176cd38199c21a82e92f755bc37b" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "method": "GET", "path": "\/dist\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/dist\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "853c9f4bd1955cb83272046c21eb6e682820f3eb", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js.map", "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js.map", "request_line": "GET \/dist\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js.map", "evidence_snippet": "GET \/dist\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/main.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/main.js.map UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/main.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/main.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /static/js/main.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/main.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/53 Requête brute (extrait) GET /static/js/main.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "f32cea479e784489678c6dd0ff2e46c0f0aea6f0", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "e0d6e12dbc1c8809c842f3499e03cbce22fa872f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.286987808784708, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "db4c23ab4f5eedd9dd028006b67e6bfef8cd7f57", "event_fingerprint": "13868b0b8ecc8bca28d9ed27402def4c301a320b", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "68152b53bdbc42efab93e1a65aa43b12", "payload_hash": "aa4f01e1aab0297cf9733c255722b558", "path_pattern_hash": "5e2df47bb80a14a3a8fb72ed2c567f03" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "method": "GET", "path": "\/static\/js\/main.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "evidence": { "method": "GET", "path": "\/static\/js\/main.js.map", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "062cc2d2a9ba3570041aaacab36754866bd99743", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js.map", "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js.map", "request_line": "GET \/static\/js\/main.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js.map", "evidence_snippet": "GET \/static\/js\/main.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/53", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/config.js.map	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/config.js.map UA python-requests/2.28.0 Émulateur HTTP WAF 17 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 scanner-ua anomaly:scanner-ua Cible HTTP GET /js/config.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/config.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/config.js.map HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF lfi-14 nosqli-3 scanner-ua Payload (extrait) GET /js/config.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: cl Requête brute (extrait) GET /js/config.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "map", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "79df73281f9bce961b0aaa25a26522429c228858", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 135, "payload_entropy": 5.103647957304379, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 76, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 54, "tag_count": 6, "anomaly_count": 1, "campaign_key": "11ba358b21817ec09e5329876e490efd666c4170", "event_fingerprint": "96a51892888362d10a0886ad3e914e567c3b2729", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "e8227051b249e321dcc1303bd0f3eca0", "path_pattern_hash": "ef4f0da8cff8c8c8afcf5b637f23c23b" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "method": "GET", "path": "\/js\/config.js.map", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/js\/config.js.map HTTP\/1.1", "request_sample": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "evidence": { "method": "GET", "path": "\/js\/config.js.map", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/js\/config.js.map HTTP\/1.1", "request_sample": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "007965c3232412f4bcf3ad0254ea810edf240517", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js.map", "request_line": "GET \/js\/config.js.map HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js.map", "request_line": "GET \/js\/config.js.map HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js.map", "evidence_snippet": "GET \/js\/config.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 76 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /bundle.js.map	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bundle.js.map UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /bundle.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /bundle.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /bundle.js.map HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /bundle.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding Requête brute (extrait) GET /bundle.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "map", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "4a6d501faa5d3eb0e83b6a1c50d62de04a1ec928", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 157, "payload_entropy": 5.108195650848991, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9ebc1ee662c64657087cf3bed2190d67320cc6f5", "event_fingerprint": "3ffe876dfe270d61614292d3ba1db4d28759cdf5", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "366d00514cc2eda4ab0fad207ad88a06", "path_pattern_hash": "6c3dca9a74dbc60aee09972b60d7b1f5" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding", "method": "GET", "path": "\/bundle.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/bundle.js.map HTTP\/1.1", "request_sample": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding", "evidence": { "method": "GET", "path": "\/bundle.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/bundle.js.map HTTP\/1.1", "request_sample": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9384e41b43769612f385e752e98c43746e968567", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js.map", "request_line": "GET \/bundle.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js.map", "request_line": "GET \/bundle.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js.map", "evidence_snippet": "GET \/bundle.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/app.js.map	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/app.js.map UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /static/js/app.js.map HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /static/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: Requête brute (extrait) GET /static/js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "map", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "db1696464f82d3203ed921e4de7fbaab3515069e", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 177, "payload_entropy": 5.083528607508321, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "25fb5ec29c1f0f01908982a54283c74c239fc9f7", "event_fingerprint": "8daeda9d30a8c27bc8db5cfc11562d28ecd1c837", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "49f521fd63651b42a0e4de56f1191b40", "path_pattern_hash": "8f9730f30c446a4942d7bb1adf841a4a" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: ", "method": "GET", "path": "\/static\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept:", "evidence": { "method": "GET", "path": "\/static\/js\/app.js.map", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept:", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e3f62ea695cb1dbe9dedb49b47923fa335255db1", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js.map", "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept:", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js.map", "request_line": "GET \/static\/js\/app.js.map HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js.map", "evidence_snippet": "GET \/static\/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept:", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:02 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/app.js.map	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/app.js.map UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/app.js.map TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/app.js.map Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /js/app.js.map HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537. Requête brute (extrait) GET /js/app.js.map HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "map", "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "6ca7b2b86a32a17742236847cf98af9056502011", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.310830739816743, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "df1a4d5d347c14576809398ff8960ca9540a1cd0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "25ce70189fea12a7d10b1f2e9b7200d4", "path_pattern_hash": "4a0a22035e7129ef0cc484f8528486c6" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "method": "GET", "path": "\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/js\/app.js.map", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js.map HTTP\/1.1", "request_sample": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dac55398f2ae9fccfd61ffafa876209b9581a216", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js.map", "request_line": "GET \/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js.map", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js.map", "request_line": "GET \/js\/app.js.map HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js.map", "evidence_snippet": "GET \/js\/app.js.map HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /terraform.tfvars	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /terraform.tfvars UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 12 Recommandation Investiguer Tags 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /terraform.tfvars TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /terraform.tfvars Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /terraform.tfvars HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /terraform.tfvars HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encod Requête brute (extrait) GET /terraform.tfvars HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "tfvars", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "682535af91f368f38ffc4bf792acea52986ab2a4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 160, "payload_entropy": 5.115380194100272, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 56, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9ebc1ee662c64657087cf3bed2190d67320cc6f5", "event_fingerprint": "3da844910b9e4022c1acd344c1252d281387029f", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "abfd78badc0775437977c3ee318aaf34", "path_pattern_hash": "2c4bcdd4dd35b049645b423cf6d4c39f" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "method": "GET", "path": "\/terraform.tfvars", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/terraform.tfvars HTTP\/1.1", "request_sample": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "evidence": { "method": "GET", "path": "\/terraform.tfvars", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/terraform.tfvars HTTP\/1.1", "request_sample": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "77554c439d8c530544779d297061901b27e69437", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfvars", "request_line": "GET \/terraform.tfvars HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/terraform.tfvars", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/terraform.tfvars", "request_line": "GET \/terraform.tfvars HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/terraform.tfvars", "evidence_snippet": "GET \/terraform.tfvars HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/main.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/main.js UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 33 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950406:ssrf-3 950468:nosqli-3 Cible HTTP GET /static/js/main.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/main.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 5 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /static/js/main.js HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /static/js/main.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.c Requête brute (extrait) GET /static/js/main.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "fc1209930d53479f9de40769306d0e03c0e12113", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 186, "payload_entropy": 5.129893605270431, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 7, "anomaly_count": 0, "campaign_key": "77d390b52ab9ae3d2bded485df4427f049bd4098", "event_fingerprint": "71b5415eb6e14db526ce5b0808fc3330947f33b3", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "43555f7d6cb1d3050368420d1b6c01d4", "path_pattern_hash": "d7eccad93f9f7ba9883784f3d98302b8" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "evidence": { "method": "GET", "path": "\/static\/js\/main.js", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "request_sample": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00c52f4d0a5e2c5ef337f426a1b318ea56fcbd64", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/main.js", "request_line": "GET \/static\/js\/main.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/main.js", "evidence_snippet": "GET \/static\/js\/main.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.c", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/app.js	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/app.js UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Requête brute (extrait) GET /js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "a67b7fd1369c70e927d0ff1b268c14a5fc98e506", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "a22d1d868692973288e25c89f766247feac6353d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 187, "payload_entropy": 5.365581606902678, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "a7cfe32e49ad12c7ef3664e5ecf58661a8d4d347", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a043508728a6b69d9667ac6f173874bf", "payload_hash": "bf88882fdd3b7d7f98e513524e071246", "path_pattern_hash": "de7fe7d5b9603182c141cba6f00e2511" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 ", "method": "GET", "path": "\/js\/app.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0", "evidence": { "method": "GET", "path": "\/js\/app.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/js\/app.js HTTP\/1.1", "request_sample": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2faad0cbb8edcf44b302a7421b7cfbccfb513efa", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/app.js", "request_line": "GET \/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/app.js", "evidence_snippet": "GET \/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /js/config.js	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /js/config.js UA python-requests/2.28.0 Émulateur HTTP WAF 17 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 scanner-ua anomaly:scanner-ua Cible HTTP GET /js/config.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /js/config.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /js/config.js HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF lfi-14 nosqli-3 scanner-ua Payload (extrait) GET /js/config.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "js", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "f5afc629ed7fb6b21acd96102b14535f7eccb6cd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 131, "payload_entropy": 5.057972594496701, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 76, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 54, "tag_count": 6, "anomaly_count": 1, "campaign_key": "11ba358b21817ec09e5329876e490efd666c4170", "event_fingerprint": "d75b7e54f5f6dad266fe20f5f81256ed3dfdd134", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "9eb87f3953ec7ba42a921dc5985e5250", "path_pattern_hash": "31cba546269a313085e31a4b0b460574" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r", "method": "GET", "path": "\/js\/config.js", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/js\/config.js HTTP\/1.1", "request_sample": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/js\/config.js", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/js\/config.js HTTP\/1.1", "request_sample": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7c111855375872cff47ae6db3c01030718bb3ef8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js", "request_line": "GET \/js\/config.js HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/js\/config.js", "request_line": "GET \/js\/config.js HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/js\/config.js", "evidence_snippet": "GET \/js\/config.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 76 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /docker-compose.yml	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /docker-compose.yml UA Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 net_web_probe Cible HTTP GET /docker-compose.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /docker-compose.yml Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Probe /docker-compose.yml Ligne de requête `GET /docker-compose.yml HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /docker-compose.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google. Requête brute (extrait) GET /docker-compose.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "59c3d4f2509c82627f0eeb8e0e13ae1254eb4065", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "284ed5c0f139fefe102f54c41fbd64a2a9a5ffd9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 187, "payload_entropy": 5.140439488850184, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "acae8dcf21ce4b07f2d2a8f6e4700c3344ae011b", "event_fingerprint": "0cb62e09ee11bf4f816e76436d8af00dd6fa18ed", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103", "pat-0251" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/docker-compose.yml" ], "pattern_ids": [ "pat-0103", "pat-0251" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "043937ea8abaea325dbde1020b1bdd9f", "payload_hash": "a75780170aa5aa7ea4510525c83832f9", "path_pattern_hash": "96d32e90d2f8019607590c30e27c0bff" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.", "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.", "evidence": { "method": "GET", "path": "\/docker-compose.yml", "user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/docker-compose.yml HTTP\/1.1", "request_sample": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4648e2ed99fa10ae78d1e7e6f207505db07c1a63", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/docker-compose.yml", "request_line": "GET \/docker-compose.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/docker-compose.yml", "evidence_snippet": "GET \/docker-compose.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /dist/js/app.js	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /dist/js/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /dist/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /dist/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 61 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /dist/js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /dist/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch Requête brute (extrait) GET /dist/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "f32cea479e784489678c6dd0ff2e46c0f0aea6f0", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "faee33e43c7a7b20bc3162b1910a5f08627cc973", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 202, "payload_entropy": 5.292366557809001, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "60fa118db27e033c8b9a142c40494797c4b15a16", "event_fingerprint": "e0776ad9dafab2530e5a1989de475fa7f7e89f67", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "68152b53bdbc42efab93e1a65aa43b12", "payload_hash": "1d27e8a78084d7aa321abef1e7f0b61e", "path_pattern_hash": "1b85e9f24274ccd77769e12b6e295d9e" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch", "method": "GET", "path": "\/dist\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch", "evidence": { "method": "GET", "path": "\/dist\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "request_sample": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "219327f1a9c548979be9bc58f0f169fb0d9da340", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js", "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/dist\/js\/app.js", "request_line": "GET \/dist\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/dist\/js\/app.js", "evidence_snippet": "GET \/dist\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /.gitlab-ci.yml	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.gitlab-ci.yml UA Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100… Émulateur HTTP WAF 13 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /.gitlab-ci.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /.gitlab-ci.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /.gitlab-ci.yml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100 Requête brute (extrait) GET /.gitlab-ci.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "275047f33fcfba22b49ba38621d94d6e930d6b58", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "438af05b92495206533fc223d46e511d40c32485", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.254390989631871, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cb40d2102ad0fea664321908f392e1c8fec7f8d2", "event_fingerprint": "fe4e431a54855a388853454d7fb0cda8ce7c0888", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccb11ace7973572967f1bc6e8e53c47b", "payload_hash": "708a3588987808ed0321e35f9d4b9c64", "path_pattern_hash": "1c248e6546ed96558dfcda198b4e61ef" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100", "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100", "evidence": { "method": "GET", "path": "\/.gitlab-ci.yml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "request_sample": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "acfe72b0555d14a2713e3b92955ceec5ddb46e5a", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.gitlab-ci.yml", "request_line": "GET \/.gitlab-ci.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100101 Firefox\/121.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.gitlab-ci.yml", "evidence_snippet": "GET \/.gitlab-ci.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko\/20100", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /.github/workflows/deploy.yml	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /.github/workflows/deploy.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0… Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /.github/workflows/deploy.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /.github/workflows/deploy.yml Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /.github/workflows/deploy.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.3 Requête brute (extrait) GET /.github/workflows/deploy.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "yml", "http_ua_hash": "a67b7fd1369c70e927d0ff1b268c14a5fc98e506", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "9a980960a1dce8601282270803934f12c1e6c3d4", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 206, "payload_entropy": 5.42944996995857, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 84, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c021f4e00ac10eb2a5f242cc270c50c9f161736c", "event_fingerprint": "129fb91f592320c474f138dba38c7cf4964d789a", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a043508728a6b69d9667ac6f173874bf", "payload_hash": "66e19f30615b8b19580f9069faf31522", "path_pattern_hash": "76cfbca880390f07dc02774a92e03828" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.3", "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/.github\/workflows\/deploy.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "request_sample": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.3", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c23a6231f2d9cf7a6e9ce8d15a087552a6f9d745", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.3", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/.github\/workflows\/deploy.yml", "request_line": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/.github\/workflows\/deploy.yml", "evidence_snippet": "GET \/.github\/workflows\/deploy.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.3", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /bundle.js	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /bundle.js UA curl/7.68.0 Émulateur HTTP WAF 3 Recommandation Investiguer Tags scanner-ua anomaly:scanner-ua http_ua_suspicious net_web_probe Cible HTTP GET /bundle.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /bundle.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /bundle.js HTTP/1.1` User-Agent curl/7.68.0 Règles WAF scanner-ua Payload (extrait) GET /bundle.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: curl/7.68.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "js", "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "5c28bc6707fadbc1c6dacdabca89ac4afb276d6a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 117, "payload_entropy": 5.042624870095095, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 1, "campaign_key": "be40871600f5564be88afec047f506abd82d7460", "event_fingerprint": "75a9cf1317d9cf97e3e71664713ffecd91c95a76", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "019949ece80fa9bcc1487997fa5f8598", "path_pattern_hash": "59bff92e27ba3df61892a035edfe8dbf" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/bundle.js", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/bundle.js", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/bundle.js HTTP\/1.1", "request_sample": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "008bb458d6212ea938190da91ce43ac306c19b72", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/bundle.js", "request_line": "GET \/bundle.js HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/bundle.js", "evidence_snippet": "GET \/bundle.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/app.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/app.js UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /static/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /static/js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /static/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Requête brute (extrait) GET /static/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "f32cea479e784489678c6dd0ff2e46c0f0aea6f0", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "2e8487d6ca226d333a0e0e427de3a57a117c9672", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.293507786540373, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "db4c23ab4f5eedd9dd028006b67e6bfef8cd7f57", "event_fingerprint": "983cc78cfc5ec64632a95e3d08db9b41dbf07628", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "68152b53bdbc42efab93e1a65aa43b12", "payload_hash": "b39a3c5144744e21a4477a80390dbb9c", "path_pattern_hash": "02ccc7d3f44ece92b2d30ec0bac374d7" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 ", "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7b7179535a20574fefce0f4b8ed3e75f9396373", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_static", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /web.config UA curl/7.68.0 Émulateur HTTP WAF 3 Recommandation Investiguer Tags scanner-ua anomaly:scanner-ua http_sensitive_path http_ua_suspicious Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 100 % — 1 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent curl/7.68.0 Règles WAF scanner-ua Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: curl/7.68.0 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 131, "payload_entropy": 5.032759091376042, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 51, "tag_count": 5, "anomaly_count": 1, "campaign_key": "fa7afd1265f3f554f7f6361b0da707f3590709ed", "event_fingerprint": "b86b6795ae999dceb80857ec57c0f1d20f94b01d", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0120" ], "matched_pattern_names": [ "LFI IIS web.config" ], "pattern_ids": [ "pat-0120" ], "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "50a3a2b9fdc0cf1ab9ad08a8fe73b038", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r", "method": "GET", "path": "\/web.config", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f41393da6fc5ba785286ffc43038d0c9c02a9d0e", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 20, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "anomaly:scanner-ua", "http_sensitive_path", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /assets/js/app.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/app.js UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0… Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /assets/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /assets/js/app.js HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /assets/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120 Requête brute (extrait) GET /assets/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "a67b7fd1369c70e927d0ff1b268c14a5fc98e506", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "c20c14d69fc860e6e181daa83a51f3856275eebc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.351734036336488, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "7440a7a221b7dce7174a689ff6f06e6f3bb4dd87", "event_fingerprint": "17b6003de08b5adbc33a9e91e92e07b8872c56c7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a043508728a6b69d9667ac6f173874bf", "payload_hash": "1afa07fab2161990577c19bc62f6762d", "path_pattern_hash": "1c171e73ffc23602ba087de1dfbe539e" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120", "method": "GET", "path": "\/assets\/js\/app.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120", "evidence": { "method": "GET", "path": "\/assets\/js\/app.js", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1763ca20ba2be048ac5b0eacb848917c3bbbcdbf", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js", "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js", "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js", "evidence_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /static/js/app.js	Élevée	Moyen · 54
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /static/js/app.js UA python-requests/2.28.0 Émulateur HTTP WAF 17 Recommandation Investiguer Tags 950316:lfi-14 950468:nosqli-3 scanner-ua anomaly:scanner-ua Cible HTTP GET /static/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /static/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /static/js/app.js HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF lfi-14 nosqli-3 scanner-ua Payload (extrait) GET /static/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: cl Requête brute (extrait) GET /static/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "2e8487d6ca226d333a0e0e427de3a57a117c9672", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 135, "payload_entropy": 5.059394857667066, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 76, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 54, "tag_count": 7, "anomaly_count": 1, "campaign_key": "bb5a55f3b4c8f23665e85d72e43a512b81acf3d0", "event_fingerprint": "983cc78cfc5ec64632a95e3d08db9b41dbf07628", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "4f82876b796cf9fcee8f9bd13117476e", "path_pattern_hash": "02ccc7d3f44ece92b2d30ec0bac374d7" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "evidence": { "method": "GET", "path": "\/static\/js\/app.js", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "950316:lfi-14", "950468:nosqli-3", "scanner-ua" ], "waf_rule_names": [ "lfi-14", "nosqli-3", "scanner-ua" ], "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "request_sample": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3a2247dca9032f77d81f0dd851bf3f7e2c83e8ac", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 76, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 54, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/static\/js\/app.js", "request_line": "GET \/static\/js\/app.js HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/static\/js\/app.js", "evidence_snippet": "GET \/static\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: cl", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 76 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950468:nosqli-3", "anomaly:scanner-ua", "http_probe_static", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Flood / DDoS http flood · via HTTP:7443 · (tentative d'exploit) · → /assets/js/app.js	Élevée	Moyen · 62
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1499 TA0001 TA0002 Protocole GET /assets/js/app.js UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950316:lfi-14 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /assets/js/app.js TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /assets/js/app.js Service HTTP Pourquoi cette classification : Type « http_flood » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1499 Technique MITRE T1499 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /assets/js/app.js HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF lfi-14 ssrf-3 nosqli-3 Payload (extrait) GET /assets/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encod Requête brute (extrait) GET /assets/js/app.js HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "js", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "c20c14d69fc860e6e181daa83a51f3856275eebc", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 160, "payload_entropy": 5.071256339050089, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 100, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 6, "anomaly_count": 0, "campaign_key": "a538800e22833e6c613206a47c0671cf0cf1ce81", "event_fingerprint": "17b6003de08b5adbc33a9e91e92e07b8872c56c7", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 122, "precision_signals": [ "MITRE-T1499" ], "kb_rule_ids": [ "MITRE-T1499" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "e16ed5ed9e31931112223fd76e66acaa", "path_pattern_hash": "1c171e73ffc23602ba087de1dfbe539e" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "method": "GET", "path": "\/assets\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "evidence": { "method": "GET", "path": "\/assets\/js\/app.js", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3" ], "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "request_sample": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1499" ], "mitre": "T1499", "threat_family": [ "ddos" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68f39e5bd43ec9b23e448900340ec70f637ec3e5", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js", "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1499 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 80, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1499" ], "tags_summary_labels_fr": [ "MITRE-T1499" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1499", "mitre_technique": "T1499", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/assets\/js\/app.js", "request_line": "GET \/assets\/js\/app.js HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http flood \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/assets\/js\/app.js", "evidence_snippet": "GET \/assets\/js\/app.js HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encod", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
08/06/2026 12:28:01 UTC	TCP	7443 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:7443 · (tentative d'exploit) · → /web.config	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /web.config UA Googlebot/2.1 (+http://www.google.com/bot.html) Émulateur HTTP WAF 12 Recommandation Surveiller Tags 950406:ssrf-3 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /web.config TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /web.config Service HTTP Pourquoi cette classification : Sonde fichier sensible: fichier configuration · Règle WAF « ssrf-3 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 47 Confiance : Confiance 100 % — 2 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass LFI IIS web.config Ligne de requête `GET /web.config HTTP/1.1` User-Agent Googlebot/2.1 (+http://www.google.com/bot.html) Règles WAF ssrf-3 nosqli-3 Payload (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: g Requête brute (extrait) GET /web.config HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html) Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "config", "http_ua_hash": "aae7566770cbc03080628dfa8dec3d265d6c3bda", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 154, "payload_entropy": 5.035722633503126, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 56, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "49b8b01c52e19de48a8cb46aeb0c94d17a35fc66", "event_fingerprint": "b86b6795ae999dceb80857ec57c0f1d20f94b01d", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0120" ], "matched_pattern_names": [ "LFI Double-dot bypass", "LFI IIS web.config" ], "pattern_ids": [ "pat-0103", "pat-0120" ], "confidence_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b9c3da31723cfb2217e12c047b2e0aa9", "payload_hash": "38e653ec69fb019af832b32b1a5f8218", "path_pattern_hash": "0913647d7e838cdd727ceda37a671f37" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: g", "method": "GET", "path": "\/web.config", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: g", "evidence": { "method": "GET", "path": "\/web.config", "user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "waf_tags": [ "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "ssrf-3", "nosqli-3" ], "request_line": "GET \/web.config HTTP\/1.1", "request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: g", "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fece7048fe84e4064cb487c8c61ee814863ce41f", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: g", "attack_vector": "config file probe \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: fichier configuration \u00b7 R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 56, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 47, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/web.config", "request_line": "GET \/web.config HTTP\/1.1", "http_user_agent": "Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/web.config", "evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Googlebot\/2.1 (+http:\/\/www.google.com\/bot.html)\r\nAccept-Encoding: g", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 56 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950406:ssrf-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	Scan de ports port scan syn · via HTTP:7443 · (reconnaissance) · → /appsettings.json	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /appsettings.json UA curl/7.68.0 Émulateur HTTP WAF 3 Recommandation Surveiller Tags scanner-ua anomaly:scanner-ua http_ua_suspicious net_web_probe Cible HTTP GET /appsettings.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /appsettings.json Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Faible · 37 Confiance : Confiance 52 % — 1 tag(s) WAF Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Motifs de détection (base) Cred ASP.NET settings Ligne de requête `GET /appsettings.json HTTP/1.1` User-Agent curl/7.68.0 Règles WAF scanner-ua Payload (extrait) GET /appsettings.json HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: curl/7.68.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "1bb70c4d477e16ecbd1bc700e3f66fae61eb4898", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.995735826775723, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20 }, "risk_score": 37, "tag_count": 4, "anomaly_count": 1, "campaign_key": "bda4062ae057796920aca4062758d8a29309f351", "event_fingerprint": "d1402646333b4659554469fad6c47007417a1769", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "matched_patterns": [ "pat-0466" ], "matched_pattern_names": [ "Cred ASP.NET settings" ], "pattern_ids": [ "pat-0466" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "91d515d4555ec7f907ceae6743b40385", "path_pattern_hash": "8a0b1852fc2be645a82e96b3e5fdd755" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 37 }, "payload_preview": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/appsettings.json", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/appsettings.json", "user_agent": "curl\/7.68.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/appsettings.json HTTP\/1.1", "request_sample": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7fb07bd725d8dbcf4dfea8d1f71840369fa2bd0", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/appsettings.json", "request_line": "GET \/appsettings.json HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/appsettings.json", "evidence_snippet": "GET \/appsettings.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: curl\/7.68.0\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	Scan de ports port scan syn · via HTTP:7443 · (reconnaissance) · → /application.yml	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /application.yml UA python-requests/2.28.0 Émulateur HTTP WAF 3 Recommandation Surveiller Tags scanner-ua anomaly:scanner-ua http_ua_suspicious net_web_probe Cible HTTP GET /application.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /application.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Faible · 37 Confiance : Confiance 52 % — 1 tag(s) WAF Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /application.yml HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF scanner-ua Payload (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: clo Requête brute (extrait) GET /application.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "b5819b2c14e2e66f80448b9cafafa1033e7b1cec", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 134, "payload_entropy": 5.083903184893231, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20 }, "risk_score": 37, "tag_count": 4, "anomaly_count": 1, "campaign_key": "bda4062ae057796920aca4062758d8a29309f351", "event_fingerprint": "9e8f8c51f8299614406c0e0998ca6fffbe886148", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "14a04baa4b6069330186f4a74da29280", "path_pattern_hash": "18101755b44cc6d8b270134bcce32edf" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 37 }, "payload_preview": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: clo", "method": "GET", "path": "\/application.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: clo", "evidence": { "method": "GET", "path": "\/application.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/application.yml HTTP\/1.1", "request_sample": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: clo", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "490421d0024d34fe9339554c0ab40679915bbd4d", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: clo", "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.yml", "request_line": "GET \/application.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/application.yml", "evidence_snippet": "GET \/application.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: clo", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	SSRF interne ssrf internal · via HTTP:7443 · (tentative d'exploit) · → /application.properties	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /application.properties UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /application.properties TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /application.properties Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 46 Confiance : Confiance 54 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /application.properties HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe Requête brute (extrait) GET /application.properties HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "properties", "http_ua_hash": "c2e8884208d80a53736f57e58e974bfcb74b894e", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "e3fd46d86bb2ad69319106117f93875bff130862", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.24853206106637, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "1342f36e618ccb1a87b93fa076bb8312fbbdff55", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b39d48a59fdaf429a099916c5ddf7e4c", "payload_hash": "ed0683c6a1757fa71550e0306eea8e57", "path_pattern_hash": "8c4feac6bcb94afde681db33f96763e3" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe", "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe", "evidence": { "method": "GET", "path": "\/application.properties", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/application.properties HTTP\/1.1", "request_sample": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "90a598d8be32f5dacbcd51195937dd56d7ca43b1", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe", "attack_vector": "ssrf internal \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/application.properties", "request_line": "GET \/application.properties HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/application.properties", "evidence_snippet": "GET \/application.properties HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWe", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	SSRF interne ssrf internal · via HTTP:7443 · (tentative d'exploit) · → /tencent.yml	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /tencent.yml UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /tencent.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /tencent.yml Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 46 Confiance : Confiance 54 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /tencent.yml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /tencent.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0. Requête brute (extrait) GET /tencent.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "a67b7fd1369c70e927d0ff1b268c14a5fc98e506", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "d399b0418088e97e547b6c435a3977d34348420a", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 189, "payload_entropy": 5.341063090488702, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 60, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3cf08abad56acabaae7e90bd170c28948d17a86e", "event_fingerprint": "ce034a30aae0b68de68c8f604908d8258f3546a1", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a043508728a6b69d9667ac6f173874bf", "payload_hash": "9c2c5b4af926137c2956debf3cc51311", "path_pattern_hash": "a6c55432fab301ed9ddd69eff9ae397b" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.", "method": "GET", "path": "\/tencent.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/tencent.yml HTTP\/1.1", "request_sample": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.", "evidence": { "method": "GET", "path": "\/tencent.yml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/tencent.yml HTTP\/1.1", "request_sample": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "25e551fa5937dd4bd41ba932db6c6e20525b8c1d", "protocol_details": { "http_method": "GET", "http_path": "\/tencent.yml", "request_line": "GET \/tencent.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.", "attack_vector": "ssrf internal \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tencent.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 80, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/tencent.yml", "request_line": "GET \/tencent.yml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.0 Safari\/537.36", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/tencent.yml", "evidence_snippet": "GET \/tencent.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 Chrome\/120.0.0.", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	Scan de ports port scan syn · via HTTP:7443 · (reconnaissance) · → /qcloud.json	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /qcloud.json UA python-requests/2.28.0 Émulateur HTTP WAF 3 Recommandation Surveiller Tags scanner-ua anomaly:scanner-ua http_ua_suspicious net_web_probe Cible HTTP GET /qcloud.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /qcloud.json Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Faible · 37 Confiance : Confiance 52 % — 1 tag(s) WAF Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /qcloud.json HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF scanner-ua Payload (extrait) GET /qcloud.json HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "json", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "8ad572623c69d4adce82521d286f7eb000937c55", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 130, "payload_entropy": 5.0588641828411545, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20 }, "risk_score": 37, "tag_count": 4, "anomaly_count": 1, "campaign_key": "be40871600f5564be88afec047f506abd82d7460", "event_fingerprint": "e63b04c132f8da672822714db0b6b4526bdf8951", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "cd36e066490460ea6daaaf9e4300653c", "path_pattern_hash": "e9c0804683ffaf3c7cde7fc08c8bc221" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 37 }, "payload_preview": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n", "method": "GET", "path": "\/qcloud.json", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/qcloud.json HTTP\/1.1", "request_sample": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/qcloud.json", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/qcloud.json HTTP\/1.1", "request_sample": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2178a7b9dc302da17c12b0c55bfc00aad7f3814e", "protocol_details": { "http_method": "GET", "http_path": "\/qcloud.json", "request_line": "GET \/qcloud.json HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/qcloud.json", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/qcloud.json", "request_line": "GET \/qcloud.json HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/qcloud.json", "evidence_snippet": "GET \/qcloud.json HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
08/06/2026 12:28:00 UTC	TCP	7443 · HTTP	http	Scan de ports port scan syn · via HTTP:7443 · (reconnaissance) · → /cos.yml	Élevée	Faible · 37
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0043 TA0043 Protocole GET /cos.yml UA python-requests/2.28.0 Émulateur HTTP WAF 3 Recommandation Surveiller Tags scanner-ua anomaly:scanner-ua http_ua_suspicious net_web_probe Cible HTTP GET /cos.yml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7443 Chemin / cible /cos.yml Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 52% Confiance classification 60% Corrélation +8 Risque capteur Faible · 37 Confiance : Confiance 52 % — 1 tag(s) WAF Protocole émulé 1 Signaux Beh Scan Burst Technique MITRE TA0043 Tactiques MITRE TA0043 Ligne de requête `GET /cos.yml HTTP/1.1` User-Agent python-requests/2.28.0 Règles WAF scanner-ua Payload (extrait) GET /cos.yml HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: python-requests/2.28.0 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "yml", "http_ua_hash": "6138fbc1f454dd2d02de8df42ee0338acb02be6c", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "1aa047f999ef585c29a21e26497a5ea86a405489", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 5.052212932760587, "port_category": "registered", "org": "Byteplus Pte. Ltd.", "service": "http", "app_proto": "http", "asn": 150436, "country": "ID", "dst_port": 7443, "risk_waf": 20, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 20, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20 }, "risk_score": 37, "tag_count": 4, "anomaly_count": 1, "campaign_key": "be40871600f5564be88afec047f506abd82d7460", "event_fingerprint": "8393b209da783c6861faeb60aa56111b294c51e6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "confidence": 0.6, "classification_confidence": 0.6, "precision_score": 62, "precision_signals": [ "INT-beh-scan-burst" ], "kb_rule_ids": [ "INT-beh-scan-burst" ], "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 52, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "ID", "asn": 150436, "org": "Byteplus Pte. Ltd.", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f3bb291801334b2535cf4091a382a71d", "payload_hash": "c00082ac76cbc5e24f90d28b3983d7f2", "path_pattern_hash": "af645c705f7539fa16045f2662fc533c" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 37 }, "payload_preview": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/cos.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/cos.yml HTTP\/1.1", "request_sample": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/cos.yml", "user_agent": "python-requests\/2.28.0", "waf_tags": [ "scanner-ua" ], "waf_rule_names": [ "scanner-ua" ], "request_line": "GET \/cos.yml HTTP\/1.1", "request_sample": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre": "TA0043", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2a9d9d66e28c7ad9bb91ecc3a37964b7259af8a2", "protocol_details": { "http_method": "GET", "http_path": "\/cos.yml", "request_line": "GET \/cos.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/cos.yml", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 52%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 37\/100 (Faible) \u2014 MITRE TA0043 \u2014 confiance 60 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 60, "confidence_breakdown": { "waf": 20, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 20, "risk_score": 37, "correlation_boost": 8 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 37, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "INT-beh-scan-burst" ], "tags_summary_labels_fr": [ "Beh Scan Burst" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0043", "mitre_technique": "TA0043", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/cos.yml", "request_line": "GET \/cos.yml HTTP\/1.1", "http_user_agent": "python-requests\/2.28.0", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7443 \u00b7 (reconnaissance) \u00b7 \u2192 \/cos.yml", "evidence_snippet": "GET \/cos.yml HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: python-requests\/2.28.0\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 52 % \u2014 1 tag(s) WAF", "confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }

163.7.3.220

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence