Renseignement sur les menaces

Nigeria

165.154.10.165

FAI UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED Première vue 22/01/2026 02:16 UTC Dernière vue 21/06/2026 00:02 UTC Risque Critique

Période analysée : 2026-05-22 → 2026-06-21

Activité suspecte · risque 40/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 22/01/2026 02:16 UTC

Dernière observation 21/06/2026 00:02 UTC

Événements (période) 26

MITRE ATT&CK principal TA0007 10 occurrences

Activité suspecte · risque 40/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_110_tcp » (signaux protocolaires) · confiance 55%

Confiance 55 % — Score WAF 8

Comparaison ASN / FAI

ASN 135377 · 165.154.10.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 26 événements sur la période pour cette IP.

165.154.65.185 Sonde RDP 21/06/2026 01:38 UTC
123.58.213.118 Sonde port 21/06/2026 01:38 UTC
104.218.164.229 Sonde RDP 21/06/2026 01:32 UTC
152.32.215.252 Sonde RDP 21/06/2026 01:26 UTC
103.218.240.78 Sonde RDP 21/06/2026 01:24 UTC
165.154.182.174 Tentative d'exploit 21/06/2026 01:22 UTC
152.32.142.86 Sonde port 21/06/2026 01:22 UTC
152.32.129.136 Sonde RDP 21/06/2026 01:20 UTC

Événements (filtres)

Première observation

22/01/2026 02:16 UTC

Dernière observation

21/06/2026 00:02 UTC

Dernière activité (filtres)

21/06/2026 00:02 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 10 MQTT TCP 4 POP3 TCP 4 TLS TCP 3 Telnet TCP 3

HTTP

MQTT

POP3

TLS

Telnet

Géolocalisation

Origine réseau déclarée

Nigeria unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 68 Port 110 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

port 110 tcp · via POP3:110 · (sonde / probe)

Détails protocole

POP3: Sonde protocole POP3 (USER/PASS)

Aperçu payload

AUTH NTLM

Port / service

110 · POP3

Service émulé

POP3

Raison confiance

Confiance 55 % — Classification nommée non retenue — preuves insuffisantes

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

55%

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

26 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

26 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
21/06/2026 00:02:53 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated pop3_probe redis_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload AUTH NTLM Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) AUTH NTLM Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 11, "payload_entropy": 3.277613436819116, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "pop3", "app_proto": "pop3", "asn": 135377, "country": "NG", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 40, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8d25bbcae6364818dea01020593ed8ccab457c66", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "51f81962b4b042f17b6a903545cec647", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 40 }, "payload_preview": "AUTH NTLM\r\n", "request_sample": "AUTH NTLM\r\n", "payload_snippet": "AUTH NTLM", "evidence": { "request_sample": "AUTH NTLM\r\n", "payload_snippet": "AUTH NTLM", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81dd04c2bed39134bf2d9fde1a62ef80ae0a21a1", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "AUTH NTLM", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "AUTH NTLM", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "AUTH NTLM", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "AUTH NTLM", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated", "pop3_probe", "redis_probe" ] }
21/06/2026 00:02:49 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated pop3_starttls Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Payload STLS Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 62% Confiance classification 62% Risque capteur Faible · 38 Confiance : Confiance 62 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Signaux Email Pop3 User Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) POP3S STLS User-Agent — Règles WAF — Payload (extrait) STLS Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 6, "payload_entropy": 2.2516291673878226, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "pop3", "app_proto": "pop3", "asn": 135377, "country": "NG", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 3, "anomaly_count": 0, "campaign_key": "48ccaa4e031630a8bc7c77f3bb9d7b66fbd135d1", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 74, "precision_signals": [ "INT-EMAIL-pop3-user" ], "kb_rule_ids": [ "INT-EMAIL-pop3-user" ], "matched_patterns": [ "pat-0631" ], "matched_pattern_names": [ "POP3S STLS" ], "pattern_ids": [ "pat-0631" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_bruteforce", "service_name": "pop3", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "813470f1db1ec2e7586921e1e8c83ef5", "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "payload_preview": "STLS\r\n", "request_sample": "STLS\r\n", "payload_snippet": "STLS", "evidence": { "request_sample": "STLS\r\n", "payload_snippet": "STLS", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b9d302b480aea9c3db46a57baba90f4f91b40585", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "STLS", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "STLS", "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 62 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 62, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "INT-EMAIL-pop3-user" ], "tags_summary_labels_fr": [ "Email Pop3 User" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "STLS", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "STLS", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 62 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated", "pop3_starttls" ] }
21/06/2026 00:02:45 UTC	TCP	110 · POP3	pop3	Sonde port 110/TCP port 110 tcp · via POP3:110 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Preuve honeypot — Sonde port 110/TCP Connexion détectée sur le port 110 (TCP) du capteur simulé. Service POP3 Pourquoi cette classification : Type « port_110_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "pop3", "app_proto": "pop3", "asn": 135377, "country": "NG", "dst_port": 110, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0bc29430209a1501e4a4048f59725d53efecdcd6", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "pop3", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "dc4164b66ff59a3b1d171afce3368aeb" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "92905bc731f5997d91db958dfa59f6c569432dbe", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated" ] }
21/06/2026 00:02:44 UTC	TCP	110 · POP3	pop3	Sonde PostgreSQL postgres probe · via POP3:110 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3 WAF — Recommandation Surveiller Tags net_pop3_probe pop3_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 110 Chemin / cible — Service POP3 Payload ��Y u�.Lo��'�vt��9tMS=�^ .:^� �Ҧ��\|�A(�WnH^�z��S�L�9>;�\4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Yu�.Lo��'�vt��9tMS=�^ .:^� �Ҧ��\|�A(�WnH^�z��S�L�9>;�\4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Requête brute (extrait) ��Y u�.Lo��'�vt��9tMS=�^ .:^� �Ҧ��\|�A(�WnH^�z��S�L�9>;�\4̨̩�/�0�+�,� �̨̪3=� 9� ��/5�{ �+ 3&$ x��P�J�too%M)��;�vqsE$� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 257, "payload_entropy": 5.840932177176298, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "pop3", "app_proto": "pop3", "asn": 135377, "country": "NG", "dst_port": 110, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "449517742a599f946a186910e8d4c234ab9ecde4", "event_fingerprint": "8d5f083aa812a6762c3b48b8375cd32260924478", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "pop3", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "226721af0eb57d33068aec06b190638c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 110, "service": "pop3", "service_name": "pop3", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y\u000bu\ufffd.\u000fLo\ufffd\ufffd\ufffd\u000e'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd\u0017\u0012 \ufffd\u04a6\ufffd\ufffd\u0016\u0011\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9\u0017>;\ufffd\\\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y\u000bu\ufffd.\u000fLo\ufffd\ufffd\ufffd\u000e'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd\u0017\u0012 \ufffd\u04a6\ufffd\ufffd\u0016\u0011\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9\u0017>;\ufffd\\\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 x\ufffd\ufffd\ufffd\b\ufffdP\u0013\ufffdJ\ufffdto\u0018o%M)\ufffd\ufffd\ufffd\u0019;\ufffdvqsE\u0017$\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y\u000bu\ufffd.\u000fLo\ufffd\ufffd\ufffd\u000e'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd\u0017\u0012 \ufffd\u04a6\ufffd\ufffd\u0016\u0011\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9\u0017>;\ufffd\\\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e8e66f17d0b4ff0a84e853fcae9886d5a986fe0", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y\u000bu\ufffd.\u000fLo\ufffd\ufffd\ufffd\u000e'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd\u0017\u0012 \ufffd\u04a6\ufffd\ufffd\u0016\u0011\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9\u0017>;\ufffd\\\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "evidence_snippet": "\ufffd\ufffdYu\ufffd.Lo\ufffd\ufffd\ufffd'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd \ufffd\u04a6\ufffd\ufffd\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9>;\ufffd\\4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "attack_vector": "postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "pop3", "service_label_fr": "POP3", "dst_port": 110, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y\u000bu\ufffd.\u000fLo\ufffd\ufffd\ufffd\u000e'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd\u0017\u0012 \ufffd\u04a6\ufffd\ufffd\u0016\u0011\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9\u0017>;\ufffd\\\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "port": 110, "service": "pop3", "service_label_fr": "POP3" }, "attack_vector": "postgres probe \u00b7 via POP3:110 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdYu\ufffd.Lo\ufffd\ufffd\ufffd'\ufffdvt\ufffd\ufffd9tMS=\ufffd^\r.:^\ufffd \ufffd\u04a6\ufffd\ufffd\|\ufffdA(\ufffdWnH^\ufffdz\ufffd\ufffd\ufffd\ufffdS\ufffdL\ufffd9>;\ufffd\\4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "target_port_label": "110 \u00b7 POP3", "emulator_service": "pop3", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3", "service_banner": "honeypot-pop3", "service_os": "linux", "dst_port": "110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3_emulated", "tls_clienthello" ] }
19/06/2026 18:28:00 UTC	TCP	123 · HTTP	http	Cross-site scripting xss attack · via HTTP:123 · (tentative d'exploit) · → /robots.txt	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /robots.txt UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 123 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 43 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 ( Requête brute (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,i Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "b14fe786bb14ed67103dd0a51a445c5b20cf75da", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 429, "payload_entropy": 5.51469191375791, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d5444dce4c5a216ef8a008205894b82de31e283c", "event_fingerprint": "42ff919f2664e0d549e5ad5d06fb0b5cc5fef0f3", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "cf0a0840ed268181eac976343016657c", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 123, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,i", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,i", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b434e2b7027417b3f9b7c4e062c3248a5f34ce22", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:123", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
19/06/2026 18:28:00 UTC	TCP	123 · HTTP	http	Cross-site scripting xss attack · via HTTP:123 · (tentative d'exploit) · → /sitemap.xml	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /sitemap.xml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 123 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 43 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Requête brute (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "b14fe786bb14ed67103dd0a51a445c5b20cf75da", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 430, "payload_entropy": 5.502517241048393, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d5444dce4c5a216ef8a008205894b82de31e283c", "event_fingerprint": "e34b04190e6dc89ab64c4973277ba9a8d19ca917", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "7c6eb99fa52fece7d15d02ceb786bf80", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 123, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 ", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d329597dd7a8f53ff30c78dabe9aaa6d8ec77de0", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:123", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
19/06/2026 18:27:59 UTC	TCP	123 · HTTP	http	SSRF interne ssrf internal · via HTTP:123 · (tentative d'exploit)	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 123 Chemin / cible / Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 50 Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:123 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 User-Agent: Mozilla/5.0 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:123 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "b14fe786bb14ed67103dd0a51a445c5b20cf75da", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 251, "payload_entropy": 5.495424784306168, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9fc648595d909dc3019140fc7269563ddf07f414", "event_fingerprint": "4b4cab73439dcfd2209fbab1f3b27833cac3d4aa", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 50, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "64c784a7cf166fdbf2491fac909e850a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 123, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0 ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42cdc50275118df421ce57e6bf672f1f2bb40a71", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0", "attack_vector": "ssrf internal \u00b7 via HTTP:123 \u00b7 (tentative d'exploit)", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 50, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:123 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:123", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
19/06/2026 18:27:59 UTC	TCP	123 · HTTP	http	Cross-site scripting xss attack · via HTTP:123 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 123 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 43 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "b14fe786bb14ed67103dd0a51a445c5b20cf75da", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 430, "payload_entropy": 5.50636286733637, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d5444dce4c5a216ef8a008205894b82de31e283c", "event_fingerprint": "085ec64ea81f93ec223ea9216edf894ce009f89c", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "743ed6a4df91af6d9bcf5810808656d2", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 123, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 ", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b457ab71095009e6966cc3c2b6a9c337aed53c4", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 123, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:123 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:123\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "target_port_label": "123 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:123", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "behavior_alert_count": 1, "behavior_priority": 96 }
19/06/2026 18:27:56 UTC	TCP	123	—	Sonde port Sonde port · port 123 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 123 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "d9157f98e1eef2a8b02e4b7db9a9a882fa092b1a", "event_fingerprint": "39e52b8cd8eb5a0c2c4617532ec32902c77f6bcc", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 123, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f9333bfec5e92f9bafd63c558c98a7ce77ac0b8", "protocol_details": { "port": 123 }, "attack_vector": "Sonde port \u00b7 port 123 \u00b7 (sonde \/ probe)", "target_port_label": "123", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 123 }, "attack_vector": "Sonde port \u00b7 port 123 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "123", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "port:123", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
19/06/2026 18:27:55 UTC	TCP	123 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:123 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 3429560be8f9b1b5 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 123 Chemin / cible — Service TLS Payload ��3�5Dh� �v��ּ�ru,Z�PD�0��>1 K��aTG�^W��ol'�o��,�nǑ�"�m�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��3�5Dh� �v��ּ�ru,Z�PD�0��>1 K��aTG�^W��ol'�o��,�nǑ�"�m�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Requête brute (extrait) ��3�5Dh� �v��ּ�ru,Z�PD�0��>1 K��aTG�^W��ol'�o��,�nǑ�"�m�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5�{ �+ 3&$ ��)�g :��s:;�_�\|~�i��1 Meta JSON brut { "tls_ja3_hash": "3429560be8f9b1b5aa346694eb419bad", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 257, "payload_entropy": 5.83666218844921, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "NG", "dst_port": 123, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f6143c3664ae69c08fff9145dc7ed813250381df", "event_fingerprint": "0724a0c866a826535ea12065bc435a45f232cafc", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "3429560be8f9b1b5aa346694eb419bad", "payload_hash": "4f8f41d47982bd7953c051aaed4fa248", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 123, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033\ufffd5Dh\ufffd\u0012 \ufffdv\ufffd\b\ufffd\u05bc\ufffdr\u0004u,Z\ufffdPD\ufffd0\ufffd\ufffd\u0001>1 \u001dK\ufffd\ufffda\u0005TG\ufffd^W\ufffd\ufffdol\u0004'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033\ufffd5Dh\ufffd\u0012 \ufffdv\ufffd\b\ufffd\u05bc\ufffdr\u0004u,Z\ufffdPD\ufffd0\ufffd\ufffd\u0001>1 \u001dK\ufffd\ufffda\u0005TG\ufffd^W\ufffd\ufffdol\u0004'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd)\u0007\ufffdg\u0015\t:\ufffd\ufffd\u0017\ufffds:;\ufffd_\u0010\ufffd\|~\u001c\ufffdi\ufffd\ufffd\ufffd1\u0013\u0006", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033\ufffd5Dh\ufffd\u0012 \ufffdv\ufffd\b\ufffd\u05bc\ufffdr\u0004u,Z\ufffdPD\ufffd0\ufffd\ufffd\u0001>1 \u001dK\ufffd\ufffda\u0005TG\ufffd^W\ufffd\ufffdol\u0004'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7289b082a47dc50afc29064935087cd300ca17f0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033\ufffd5Dh\ufffd\u0012 \ufffdv\ufffd\b\ufffd\u05bc\ufffdr\u0004u,Z\ufffdPD\ufffd0\ufffd\ufffd\u0001>1 \u001dK\ufffd\ufffda\u0005TG\ufffd^W\ufffd\ufffdol\u0004'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "tls_ja3": "3429560be8f9b1b5aa346694eb419bad", "port": 123, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd3\ufffd5Dh\ufffd \ufffdv\ufffd\ufffd\u05bc\ufffdru,Z\ufffdPD\ufffd0\ufffd\ufffd>1 K\ufffd\ufffdaTG\ufffd^W\ufffd\ufffdol'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:123 \u00b7 (sonde \/ probe)", "target_port_label": "123 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 123, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00033\ufffd5Dh\ufffd\u0012 \ufffdv\ufffd\b\ufffd\u05bc\ufffdr\u0004u,Z\ufffdPD\ufffd0\ufffd\ufffd\u0001>1 \u001dK\ufffd\ufffda\u0005TG\ufffd^W\ufffd\ufffdol\u0004'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "tls_ja3": "3429560be8f9b1b5aa346694eb419bad", "port": 123, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:123 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd3\ufffd5Dh\ufffd \ufffdv\ufffd\ufffd\u05bc\ufffdru,Z\ufffdPD\ufffd0\ufffd\ufffd>1 K\ufffd\ufffdaTG\ufffd^W\ufffd\ufffdol'\ufffdo\ufffd\ufffd\ufffd,\ufffdn\u01d1\ufffd\"\ufffdm\ufffd4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "target_port_label": "123 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "123" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 14:59:56 UTC	TCP	1883 · MQTT	mqtt	mqtt probe mqtt probe · via MQTT:1883 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Investiguer Tags mqtt_connect mqtt_emulated mqtt_payload net_mqtt_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Payload MQTTnmap Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Iot Mqtt Subscribe pat-0373 pat-0615 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol UA nmap Sigma nmap UA MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTTnmap Meta JSON brut { "protocol_emulated": true, "emulator_response": "20020000", "emulator_response_len": 4, "bytes_in": 18, "payload_entropy": 3.4193819456463714, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "mqtt", "app_proto": "mqtt", "asn": 135377, "country": "NG", "dst_port": 1883, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3e963f9dd53e583a20eeb192855b34c9d21629fc", "event_fingerprint": "cfbc4bf6c6ba306df7f60198b2c1e3ee0dcb8f30", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 197, "precision_signals": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "kb_rule_ids": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "matched_patterns": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "UA nmap", "Sigma nmap UA", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad60b419f2f0103bea99389955f5bdf8", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 50 }, "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "evidence": { "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e53b4dcc45935ef3b4bb913bce5cd0b89980fdd", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "evidence_snippet": "MQTTnmap", "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "tags_summary_labels_fr": [ "Iot Mqtt Subscribe", "pat-0373", "pat-0615", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "evidence_snippet": "MQTTnmap", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "mqtt_connect", "mqtt_emulated", "mqtt_payload", "net_mqtt_probe" ] }
15/06/2026 14:59:56 UTC	TCP	1883 · MQTT	mqtt	mqtt probe mqtt probe · via MQTT:1883 · (sonde / probe)	Élevée	Moyen · 50
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Investiguer Tags mqtt_connect mqtt_emulated mqtt_payload net_mqtt_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Payload MQTT Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Risque capteur Moyen · 50 Confiance : Confiance 100 % — Motif catalogue confirmé Protocole émulé 1 Signaux Iot Mqtt Subscribe pat-0373 pat-0615 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTT Meta JSON brut { "protocol_emulated": true, "emulator_response": "20020000", "emulator_response_len": 4, "bytes_in": 14, "payload_entropy": 2.950212064914747, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "mqtt", "app_proto": "mqtt", "asn": 135377, "country": "NG", "dst_port": 1883, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3e963f9dd53e583a20eeb192855b34c9d21629fc", "event_fingerprint": "cfbc4bf6c6ba306df7f60198b2c1e3ee0dcb8f30", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 197, "precision_signals": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "kb_rule_ids": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "matched_patterns": [ "pat-0373", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0615", "pat-0554" ], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f92105a97921155d7194a1979d64f95c", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 50 }, "payload_preview": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "request_sample": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "payload_snippet": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "evidence": { "request_sample": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "payload_snippet": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95ff937646e9010b9bbcdfe2e1078485c66685b6", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "evidence_snippet": "MQTT", "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 50 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 50, "risk_label": "Moyen", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "INT-IoT-mqtt-subscribe", "pat-0373", "pat-0615", "INT-upstream" ], "tags_summary_labels_fr": [ "Iot Mqtt Subscribe", "pat-0373", "pat-0615", "Upstream" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0010\f\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0000", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "evidence_snippet": "MQTT", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "mqtt_connect", "mqtt_emulated", "mqtt_payload", "net_mqtt_probe" ] }
15/06/2026 14:59:52 UTC	TCP	1883 · MQTT	mqtt	mqtt probe mqtt probe · via MQTT:1883 · (sonde / probe)	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Surveiller Tags mqtt_emulated net_mqtt_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Confiance : Confiance 0 % — 2 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "mqtt", "app_proto": "mqtt", "asn": 135377, "country": "NG", "dst_port": 1883, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0 }, "risk_score": 34, "tag_count": 2, "anomaly_count": 0, "campaign_key": "434aad3fca621c199a746899d3bfdf5a7c48dc2d", "event_fingerprint": "cfbc4bf6c6ba306df7f60198b2c1e3ee0dcb8f30", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 34 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60f7fa541a059077ea38bfe2081f3bad920590ab", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 0, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "mqtt probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_emulated", "net_mqtt_probe" ] }
15/06/2026 14:59:51 UTC	TCP	1883 · MQTT	mqtt	Sonde PostgreSQL postgres probe · via MQTT:1883 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Connexion MQTT (CONNECT) Émulateur MQTT WAF — Recommandation Surveiller Tags mqtt_emulated mqtt_payload net_mqtt_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1883 Chemin / cible — Service MQTT MQTT Connexion MQTT (CONNECT) Payload ��>H9jvdP�ZÑ��Ľ��K�A��G� �{M��S��Z�q���Y��U�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>H9jvdP�ZÑ��Ľ��K�A��G� �{M��S��Z�q���Y��U�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Requête brute (extrait) ��>H9jvdP�ZÑ��Ľ��K�A��G� �{M��S��Z�q���Y��U�4̨̩�/�0�+�,� �̨̪3=� 9� ��/5�{ �+ 3&$ tv�m1��6s��C�X��p��a��䊳g Meta JSON brut { "protocol_emulated": true, "bytes_in": 257, "payload_entropy": 5.912638015045827, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "mqtt", "app_proto": "mqtt", "asn": 135377, "country": "NG", "dst_port": 1883, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a87601751d25148dd54861889e6478971b18b673", "event_fingerprint": "cfbc4bf6c6ba306df7f60198b2c1e3ee0dcb8f30", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "mqtt", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ceec786d58d4f025cd9faa1c7f110034", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 1883, "service": "mqtt", "service_name": "mqtt", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>\u0017H9jvdP\ufffd\u0006Z\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\u0002\u0011\u0011\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\u0010\ufffd\ufffd\ufffd\u0001\ufffd\ufffdS\ufffd\ufffdZ\ufffd\u000eq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>\u0017H9jvdP\ufffd\u0006Z\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\u0002\u0011\u0011\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\u0010\ufffd\ufffd\ufffd\u0001\ufffd\ufffdS\ufffd\ufffdZ\ufffd\u000eq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 tv\ufffdm1\u0018\ufffd\u0019\ufffd6s\ufffd\ufffd\ufffd\u001cC\ufffdX\ufffd\ufffd\ufffdp\ufffd\ufffda\ufffd\ufffd\u42b3g", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>\u0017H9jvdP\ufffd\u0006Z\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\u0002\u0011\u0011\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\u0010\ufffd\ufffd\ufffd\u0001\ufffd\ufffdS\ufffd\ufffdZ\ufffd\u000eq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b651d5ce720387783f18934b70850ef7bf8f1acd", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>\u0017H9jvdP\ufffd\u0006Z\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\u0002\u0011\u0011\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\u0010\ufffd\ufffd\ufffd\u0001\ufffd\ufffdS\ufffd\ufffdZ\ufffd\u000eq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>H9jvdP\ufffdZ\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdZ\ufffdq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "attack_vector": "postgres probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "mqtt", "service_label_fr": "MQTT", "dst_port": 1883, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "MQTT 3.1.1", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "mqtt_connect_fr": "Connexion MQTT (CONNECT)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd>\u0017H9jvdP\ufffd\u0006Z\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\u0002\u0011\u0011\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\u0010\ufffd\ufffd\ufffd\u0001\ufffd\ufffdS\ufffd\ufffdZ\ufffd\u000eq\ufffd\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "port": 1883, "service": "mqtt", "service_label_fr": "MQTT" }, "attack_vector": "postgres probe \u00b7 via MQTT:1883 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd>H9jvdP\ufffdZ\u00d1\ufffd\ufffd\ufffd\u013d\ufffd\ufffdK\ufffdA\ufffd\ufffdG\ufffd \ufffd{M\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffdZ\ufffdq\ufffd*\ufffd\ufffdY\ufffd\ufffd\ufffd\ufffdU\ufffd4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "target_port_label": "1883 \u00b7 MQTT", "emulator_service": "mqtt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mqtt", "service_banner": "MQTT 3.1.1", "service_os": "iot", "dst_port": "1883" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_emulated", "mqtt_payload", "net_mqtt_probe", "tls_clienthello" ] }
13/06/2026 22:56:03 UTC	TCP	10022 · HTTP	http	Cross-site scripting xss attack · via HTTP:10022 · (tentative d'exploit) · → /sitemap.xml	Élevée	Faible · 39
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /sitemap.xml UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10022 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 39 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.3 Requête brute (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "3c5ddace8cf70dfe87d36e98202c26a441a69292", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 432, "payload_entropy": 5.500024680390549, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 39, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c4ed67f081f4cfe152386c4ad200cc174d91df3a", "event_fingerprint": "06381d7aa9f9ce78aeacfc310dd6aea682469daa", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "4f090f42f935ff12dc209e25bf2cef92", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 10022, "service": "http", "service_name": "http", "risk_score": 39 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c1630b5f73c32ebbe1e627194b2d957dd26da9a", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 39, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10022", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
13/06/2026 22:56:02 UTC	TCP	10022 · HTTP	http	SSRF interne ssrf internal · via HTTP:10022 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10022 Chemin / cible / Service HTTP Pourquoi cette classification : Type « ssrf_internal » (signaux protocolaires) · confiance 54% Confiance classification 62% Corrélation +8 Risque capteur Moyen · 46 Confiance : Confiance 54 % — Motif catalogue confirmé · 3 tag(s) WAF Signaux CRS-920350 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10022 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 User-Agent: Mozilla/5. Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10022 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "3c5ddace8cf70dfe87d36e98202c26a441a69292", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 253, "payload_entropy": 5.486351497711054, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9b58584528f65aa0f24ddbffa6349b3ce0dbc9bc", "event_fingerprint": "51f86c2701c21ecfd38653ba243a7a7db4a0bdc5", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 64, "precision_signals": [ "CRS-920350" ], "kb_rule_ids": [ "CRS-920350" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "ssrf_attack", "service_name": "http", "risk_confidence_factor": 54, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "523b5a4c48b369abc81e2144c77a678a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10022, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.", "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "df6839ff287cc166817f6ad566ca7910d6e39d9d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.", "attack_vector": "ssrf internal \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit)", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "classification_reason_label_fr": "Type \u00ab ssrf_internal \u00bb (signaux protocolaires) \u00b7 confiance 54%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "CRS-920350" ], "tags_summary_labels_fr": [ "CRS-920350" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf internal \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nUser-Agent: Mozilla\/5.", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 54 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10022", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
13/06/2026 22:56:02 UTC	TCP	10022 · HTTP	http	Cross-site scripting xss attack · via HTTP:10022 · (tentative d'exploit) · → /favicon.ico	Élevée	Faible · 39
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10022 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 39 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.3 Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0. Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "3c5ddace8cf70dfe87d36e98202c26a441a69292", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 432, "payload_entropy": 5.503852502853117, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 39, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c4ed67f081f4cfe152386c4ad200cc174d91df3a", "event_fingerprint": "5957490f35451c5a6d39de601d2b37487ea8fd4e", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "0072c1c2f097af1c5fb2bb0b12aa7283", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 10022, "service": "http", "service_name": "http", "risk_score": 39 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3fcdcf819afdadfc19d4106b9e2816f694b9eae", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 39, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.3", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10022", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ], "behavior_alert_count": 1, "behavior_priority": 96 }
13/06/2026 22:56:02 UTC	TCP	10022 · HTTP	http	Cross-site scripting xss attack · via HTTP:10022 · (tentative d'exploit) · → /robots.txt	Élevée	Faible · 39
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /robots.txt UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10022 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Faible · 39 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Signaux pat-0284 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 SSRF Any-address SSRF Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Requête brute (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:10022 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "3c5ddace8cf70dfe87d36e98202c26a441a69292", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 431, "payload_entropy": 5.512121524011591, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 60, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 39, "tag_count": 2, "anomaly_count": 0, "campaign_key": "c4ed67f081f4cfe152386c4ad200cc174d91df3a", "event_fingerprint": "4d65add8a33ced1224b64037c2d19df26f74ecf0", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0324" ], "matched_pattern_names": [ "CRS 941130", "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0284", "pat-0324" ], "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fd66a2f6f02ef8323e37dd4d2c2d8c7", "payload_hash": "7f4ce4f4c6354c2a5f0de2c376c0e902", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 10022, "service": "http", "service_name": "http", "risk_score": 39 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 Edg\/120.0.0.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f5bb781ffc24a8dc7832f7022d5025c6c3969062", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 60, "classification": 68, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 39, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 39, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "pat-0284" ], "tags_summary_labels_fr": [ "pat-0284" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36 E\u2026", "port": 10022, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "xss attack \u00b7 via HTTP:10022 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10022\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36", "target_port_label": "10022 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 60 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10022", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3" ] }
13/06/2026 22:55:58 UTC	TCP	10022	—	Sonde port Sonde port · port 10022 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10022 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f75205c1cc321c09bcf1cde6257745541d39a3d0", "event_fingerprint": "b60f332155355ea1648ffbc31542dea9c131dafb", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 10022, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d37546d7a2b26a92fb05923512f33e11bcbdb0de", "protocol_details": { "port": 10022 }, "attack_vector": "Sonde port \u00b7 port 10022 \u00b7 (sonde \/ probe)", "target_port_label": "10022", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 10022 }, "attack_vector": "Sonde port \u00b7 port 10022 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "10022", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "port:10022", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
13/06/2026 22:55:57 UTC	TCP	10022 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:10022 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 3429560be8f9b1b5 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10022 Chemin / cible — Service TLS Payload ��z�[n�kW׵��P�1�\|�=j{��Q�' �9� @T�9Sp'�_�^$1��"�� H4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��z�[n�kW׵��P�1�\|�=j{��Q�' �9� @T�9Sp'�_�^$1��"�� H4̨̩�/�0�+�,� �̨̪3=� 9� ��/5� Requête brute (extrait) ��z�[n�kW׵��P�1�\|�=j{��Q�' �9� @T�9Sp'�_�^$1��"�� H4̨̩�/�0�+�,� �̨̪3=� 9� ��/5�{ �+ 3&$ �� :8��D�,xQt%Ժ��î�e�� Meta JSON brut { "tls_ja3_hash": "3429560be8f9b1b5aa346694eb419bad", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 257, "payload_entropy": 5.883417100632101, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "NG", "dst_port": 10022, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "29a68bd5637d6a11698eba4ebe49e94f0fee4625", "event_fingerprint": "3cbab29df8bed9f9bc5270899065874fc557a5cd", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "NG", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "3429560be8f9b1b5aa346694eb419bad", "payload_hash": "672ecee2863e9cb762c217792b7c8279", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 10022, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0019z\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp\u001b'\ufffd_\ufffd^$\u0005\uef231\u0003\ufffd\ufffd\u001e\ufffd\ufffd\u001f\ufffd\ufffd\"\ufffd\ufffd\rH\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0019z\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp\u001b'\ufffd_\ufffd^$\u0005\uef231\u0003\ufffd\ufffd\u001e\ufffd\ufffd\u001f\ufffd\ufffd\"\ufffd\ufffd\rH\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0019\ufffd\t\ufffd\ufffd:8\ufffd\ufffd\ufffdD\ufffd,xQt%\u053a\ufffd\ufffd\ufffd\ufffd\u00ee\ufffde\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0019z\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp\u001b'\ufffd_\ufffd^$\u0005\uef231\u0003\ufffd\ufffd\u001e\ufffd\ufffd\u001f\ufffd\ufffd\"\ufffd\ufffd\rH\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f31c03e0cf9fe3cdce002d3ef162d991ae617bbd", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0019z\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp\u001b'\ufffd_\ufffd^$\u0005\uef231\u0003\ufffd\ufffd\u001e\ufffd\ufffd\u001f\ufffd\ufffd\"\ufffd\ufffd\rH\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "tls_ja3": "3429560be8f9b1b5aa346694eb419bad", "port": 10022, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdz\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp'\ufffd_\ufffd^$\uef231\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\rH4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:10022 \u00b7 (sonde \/ probe)", "target_port_label": "10022 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 10022, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0019z\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp\u001b'\ufffd_\ufffd^$\u0005\uef231\u0003\ufffd\ufffd\u001e\ufffd\ufffd\u001f\ufffd\ufffd\"\ufffd\ufffd\rH\u00004\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\u0000\ufffd\u0328\u032a\u00003\u0000=\u0000\u0016\ufffd\n\u00009\ufffd\u0013\u0000\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0013\u0003\u0013\u0001", "tls_ja3": "3429560be8f9b1b5aa346694eb419bad", "port": 10022, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:10022 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdz\ufffd[n\ufffdkW\u05f5\ufffd\ufffdP\ufffd1\ufffd\|\ufffd=j{\ufffd\ufffd\ufffd\ufffdQ\ufffd'\t\ufffd9\ufffd @T\ufffd9Sp'\ufffd_\ufffd^$\uef231\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\rH4\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\t\ufffd\u0328\u032a3=\ufffd\n9\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd", "target_port_label": "10022 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "10022" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
23/05/2026 05:49:21 UTC	TCP	23	telnet	Sonde Telnet	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags telnet_iac Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 05:49:21 UTC	TCP	23	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "20f1795c85ce69a5836c1e5cbea79ee0fa1da219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.4963278777392155, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY HK LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "4e27e27ad96757c855735d86ab27564c41f6a57e", "event_fingerprint": "64877cfaec496843ead80d3621a67cff743aecde", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
23/05/2026 05:49:21 UTC	TCP	23	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_bruteforce_burst Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f300f0d9f4416780169520dddfc4974562a97a64", "http_host_hash": "20f1795c85ce69a5836c1e5cbea79ee0fa1da219", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 418, "payload_entropy": 5.511642964687057, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY HK LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "NG", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "16bd90c1fe05d8f023ba8b3b682a620d125b0978", "event_fingerprint": "64877cfaec496843ead80d3621a67cff743aecde", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_bruteforce_burst" ] }
23/05/2026 05:49:20 UTC	TCP	23	telnet	telnet attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 05:49:17 UTC	TCP	23	telnet	telnet attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
23/05/2026 05:49:16 UTC	TCP	23	tls	Sonde TLS	Élevée	Élevé · 81
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

165.154.10.165

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence