Renseignement sur les menaces

États-Unis

165.154.162.212

FAI UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED Première vue 01/01/2026 22:37 UTC Dernière vue 20/06/2026 14:35 UTC Risque Critique

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte · risque 40/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 01/01/2026 22:37 UTC

Dernière observation 20/06/2026 14:35 UTC

Événements (période) 280

MITRE ATT&CK principal TA0007 107 occurrences

Activité suspecte · risque 40/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « web_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 8

Comparaison ASN / FAI

ASN 135377 · 165.154.162.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 280 événements sur la période pour cette IP.

152.32.173.15 Tentative d'exploit 20/06/2026 15:25 UTC
101.36.118.148 Sonde port 20/06/2026 15:25 UTC
118.193.57.62 Tentative d'exploit 20/06/2026 15:23 UTC
165.154.172.111 Tentative d'exploit 20/06/2026 15:23 UTC
165.154.11.225 Sonde port 20/06/2026 15:22 UTC
118.194.251.101 Sonde Kafka 20/06/2026 15:22 UTC
45.194.70.250 Sonde port 20/06/2026 15:21 UTC
152.32.215.252 Sonde RDP 20/06/2026 15:20 UTC

Événements (filtres)

280

Première observation

01/01/2026 22:37 UTC

Dernière observation

20/06/2026 14:35 UTC

Dernière activité (filtres)

20/06/2026 14:35 UTC

Événements 7j

100

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 156 SAP Diag TCP 73 TLS TCP 21

HTTP

156

SAP Diag

TLS

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 1102 Port 1656 exploit_attempt

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

Sonde HTTP · via HTTP:1656 · (sonde / probe) · → /robots.txt

Détails protocole

Méthode: GET
Chemin: /robots.txt
User-Agent: Go-http-client/1.1

Aperçu payload

GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1656 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close

Port / service

1656 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 95 % — Motif catalogue confirmé

Technique MITRE

T1595

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

Requête robots.txt Single Port Chemin bénin connu

Confiance

95%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

280 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

280 événement(s) — page 2/6

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 04:05:16 UTC	TCP	6300 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6300 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6300 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:6300 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3a128d28962e326e199684546306f04661d3bd74", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.950650261639131, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 6300, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "307f9a0c75f141d684777272a1d858cef0fdc9a6", "event_fingerprint": "c744a242e8fe7a78b3c1081152d1deb2fde6b5ce", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "df43bf754d18125154383e1e66c79380", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 6300, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76ed1eeea7417513c5c246f17248aae71549466b", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6300 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "6300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6300, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6300 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
17/06/2026 04:05:16 UTC	TCP	6300 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:6300 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6300 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:6300 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "3a128d28962e326e199684546306f04661d3bd74", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.891276337346147, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 6300, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "307f9a0c75f141d684777272a1d858cef0fdc9a6", "event_fingerprint": "8b99e41e6686ade9805203e852b0b33e6734faa3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "53008b350a85f2d360298d39e499c7c9", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 6300, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc54a6d4478f07dba43849261c0403fd1fcdcd11", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6300, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:6300 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "6300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6300, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 6300, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:6300 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6300\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "6300 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
17/06/2026 03:36:00 UTC	TCP	3578	—	Sonde port Sonde port · port 3578 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3578 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 3578, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ba02c568da3f923598b77c64a2f162c9c3239954", "event_fingerprint": "7622791315dd182def2f2ba7c84abaa50c6f6c54", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 3578, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9139e2a3b3d7bd45cc1e30d1e7fbda5a4f7d404a", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 3578 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 3578 \u00b7 (sonde \/ probe)", "target_port_label": "3578", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 3578, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 3578 }, "attack_vector": "Sonde port \u00b7 port 3578 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "3578", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "3578" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:3578", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 03:35:59 UTC	TCP	3578 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:3578 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3578 Chemin / cible — Service TLS Payload ��>1 ;��3��p��>�� [v�`�K�� OP ƚ-!� ���S[t?��$��V &�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��>1;��3��p��>��[v�`�K�� OPƚ-!����S[t?��$��V &�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��>1 ;��3��p��>�� [v�`�K�� OP ƚ-!� ���S[t?��$��V &�+�/�,�0̨̩� �� /5� � + 3&$ ��nΩ��3��O[�7��H�DE��Z4�?So Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.7897422286198434, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "US", "dst_port": 3578, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f317528ef027ca4a7e638ffe35faae2d1f69e50f", "event_fingerprint": "04d659ad8e5c30c207a1fa552ecae99373ba425c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "9a548bec1635296c7491db369104ad86", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3578, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>1\f;\u0003\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\u000b\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u000b\u019a-!\ufffd\u000b\ufffd\ufffd\ufffd\u0000\u0007S[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>1\f;\u0003\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\u000b\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u000b\u019a-!\ufffd\u000b\ufffd\ufffd\ufffd\u0000\u0007S[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdn\u0002\u03a9\ufffd\ufffd\ufffd\ufffd3\ufffd\ufffdO[\ufffd7\ufffd\ufffdH\ufffdDE\ufffd\ufffdZ4\ufffd?So", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>1\f;\u0003\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\u000b\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u000b\u019a-!\ufffd\u000b\ufffd\ufffd\ufffd\u0000\u0007S[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de604509239748bf1b37ec6578f4f27037b960ac", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>1\f;\u0003\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\u000b\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u000b\u019a-!\ufffd\u000b\ufffd\ufffd\ufffd\u0000\u0007S[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 3578, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd>1;\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u019a-!\ufffd\ufffd\ufffd\ufffdS[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:3578 \u00b7 (sonde \/ probe)", "target_port_label": "3578 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 3578, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd>1\f;\u0003\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\u000b\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u000b\u019a-!\ufffd\u000b\ufffd\ufffd\ufffd\u0000\u0007S[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 3578, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:3578 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd>1;\ufffd\ufffd3\ufffd\ufffdp\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\ufffd[v\ufffd`\ufffdK\ufffd\ufffd\ufffd\ufffd \ufffdOP\u019a-!\ufffd\ufffd\ufffd\ufffdS[t?\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffdV &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "3578 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "3578" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:3578", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
17/06/2026 03:35:58 UTC	TCP	3578 · HTTP	http	Sonde port 3578/TCP port 3578 tcp · via HTTP:3578 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3578 Chemin / cible / Preuve honeypot — Sonde port 3578/TCP Connexion détectée sur le port 3578 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_3578_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 3578, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "dbff863ddb635cea77d5b5fa219b0ea1f990cf9c", "event_fingerprint": "cda130487cea2f5a29ccfef5f983d4ff1a37d790", "classification_reason": "Type \u00ab port_3578_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3578, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_3578_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ea24fc2505bcc61b10f41ad95a61c8c78bba5cf", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 3578, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 3578 tcp \u00b7 via HTTP:3578 \u00b7 (sonde \/ probe)", "target_port_label": "3578 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_3578_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_3578_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3578, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 3578, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 3578 tcp \u00b7 via HTTP:3578 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "3578 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3578" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:3578" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 03:35:52 UTC	TCP	3578	—	Sonde port Sonde port · port 3578 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3578 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 3578, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ba02c568da3f923598b77c64a2f162c9c3239954", "event_fingerprint": "7622791315dd182def2f2ba7c84abaa50c6f6c54", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 3578, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "29a4de6b2a6a7dc246e4e37f57e91e34e8c81f8a", "protocol_details": { "port": 3578 }, "attack_vector": "Sonde port \u00b7 port 3578 \u00b7 (sonde \/ probe)", "target_port_label": "3578", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 3578, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 3578 }, "attack_vector": "Sonde port \u00b7 port 3578 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "3578", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "3578" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 01:22:14 UTC	TCP	4739 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:4739 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4739 Chemin / cible — Service TLS Payload ��Hχ��`��7�\|��4�]+<��nH��o �h�l04B1��U.�b�Be��!�:��n}&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Hχ��`��7�\|��4�]+<��nH��o �h�l04B1��U.�b�Be��!�:��n}&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��Hχ��`��7�\|��4�]+<��nH��o �h�l04B1��U.�b�Be��!�:��n}&�+�/�,�0̨̩� �� /5� � + 3&$ �"2�0j!�ٯl~�W[F+x��z�>`/��n Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.768085808512384, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "US", "dst_port": 4739, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "6985334108ce5046045240cfd8d3c0b2e0f7965b", "event_fingerprint": "79d6cf1414d6aa6a22724cdf576296a856e953e9", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "b5a5960a209acd47f9743fbfcdedbb4a", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4739, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0018\u03c7\ufffd\ufffd\ufffd`\ufffd\u0017\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffd\u001anH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdB\u001be\ufffd\ufffd!\u0016\u0016\ufffd:\ufffd\ufffd\ufffdn}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0018\u03c7\ufffd\ufffd\ufffd`\ufffd\u0017\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffd\u001anH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdB\u001be\ufffd\ufffd!\u0016\u0016\ufffd:\ufffd\ufffd\ufffdn}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\"\u00152\u000f\ufffd0j!\ufffd\u066fl~\ufffdW[F+x\ufffd\ufffd\u0003z\ufffd\u001f>`\/\ufffd\ufffdn", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0018\u03c7\ufffd\ufffd\ufffd`\ufffd\u0017\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffd\u001anH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdB\u001be\ufffd\ufffd!\u0016\u0016\ufffd:\ufffd\ufffd\ufffdn}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75e66aee81f52c487412bb935db80b69c34101cb", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0018\u03c7\ufffd\ufffd\ufffd`\ufffd\u0017\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffd\u001anH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdB\u001be\ufffd\ufffd!\u0016\u0016\ufffd:\ufffd\ufffd\ufffdn}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 4739, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdH\u03c7\ufffd\ufffd\ufffd`\ufffd\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffdnH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdBe\ufffd\ufffd!\ufffd:\ufffd\ufffd\ufffdn}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:4739 \u00b7 (sonde \/ probe)", "target_port_label": "4739 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 4739, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\u0018\u03c7\ufffd\ufffd\ufffd`\ufffd\u0017\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffd\u001anH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdB\u001be\ufffd\ufffd!\u0016\u0016\ufffd:\ufffd\ufffd\ufffdn}\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 4739, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:4739 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdH\u03c7\ufffd\ufffd\ufffd`\ufffd\ufffd7\ufffd\|\ufffd\ufffd4\ufffd]+<\ufffd\ufffdnH\ufffd\ufffd\ufffdo \ufffdh\ufffdl04B1\ufffd\ufffd\ufffdU.\ufffdb\ufffdBe\ufffd\ufffd!\ufffd:\ufffd\ufffd\ufffdn}&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "4739 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "4739" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:4739", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
17/06/2026 01:22:14 UTC	TCP	4739	—	Sonde port Sonde port · port 4739 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4739 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 4739, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ade9aebe192f20bf1ee292d2d262ee7d299b6307", "event_fingerprint": "f50a58422500806b71ecdf971114d09f3eadc800", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 4739, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fce5712a69b97f0b10825c44183f8b8225197b2e", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 4739 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 4739 \u00b7 (sonde \/ probe)", "target_port_label": "4739", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 4739, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 4739 }, "attack_vector": "Sonde port \u00b7 port 4739 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "4739", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "4739" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:4739", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
17/06/2026 01:22:13 UTC	TCP	4739 · HTTP	http	Sonde port 4739/TCP port 4739 tcp · via HTTP:4739 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4739 Chemin / cible / Preuve honeypot — Sonde port 4739/TCP Connexion détectée sur le port 4739 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_4739_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4739, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "e3c58cad2262c2f05eff125151f02d6da83e81e4", "event_fingerprint": "df3dd5ebdef60f6c8101f28e30b13021c558c03a", "classification_reason": "Type \u00ab port_4739_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4739, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_4739_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6cc6c51fc11081c252ac662fc0eae779e0c33657", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 4739, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 4739 tcp \u00b7 via HTTP:4739 \u00b7 (sonde \/ probe)", "target_port_label": "4739 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_4739_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_4739_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4739, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 4739, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 4739 tcp \u00b7 via HTTP:4739 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "4739 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4739" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:4739" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 84 }
17/06/2026 01:22:07 UTC	TCP	4739	—	Sonde port Sonde port · port 4739 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4739 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 4739, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "ade9aebe192f20bf1ee292d2d262ee7d299b6307", "event_fingerprint": "f50a58422500806b71ecdf971114d09f3eadc800", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 4739, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc5c34feb46ec6d7429c07b46478edacd397aa45", "protocol_details": { "port": 4739 }, "attack_vector": "Sonde port \u00b7 port 4739 \u00b7 (sonde \/ probe)", "target_port_label": "4739", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 4739, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 4739 }, "attack_vector": "Sonde port \u00b7 port 4739 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "4739", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "4739" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 22:33:36 UTC	TCP	640 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:640 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 640 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:640 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a6e2472d83d551a54a33fa06a9b70ebbc28797c7", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926991484919829, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 640, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8cecae5db88a0fb7025410ceb4e82ff42492c7b7", "event_fingerprint": "282ded6343f075adcfc41896b8005e5d0db90339", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "765ae9891db73a86289a1ef7dead81d6", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 640, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2fb868cf383197b27cea87d4e2f0d98ae7017710", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 640, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "640" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 22:33:36 UTC	TCP	640 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:640 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 640 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:640 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a6e2472d83d551a54a33fa06a9b70ebbc28797c7", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.911345557044192, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 640, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8cecae5db88a0fb7025410ceb4e82ff42492c7b7", "event_fingerprint": "76a5220d8e657aefe8b9758420864d49ce16bd36", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "af5e5430a9b8a3bc723775d45e237e35", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 640, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84d93a366f880771d03b2226ddb02cbd97fcb767", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 640, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "640" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 22:33:36 UTC	TCP	640 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:640 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 640 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:640 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "a6e2472d83d551a54a33fa06a9b70ebbc28797c7", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.970941585506416, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 640, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8cecae5db88a0fb7025410ceb4e82ff42492c7b7", "event_fingerprint": "bbc570b188eee3c02ea5e7d02a785c5a01dfcd6c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "4173df2f381416f96b85be63b568ce57", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 640, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e135224498c5d7c2bafca63cf17c98ffcb4c38bd", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 640, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:640 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "640" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 22:33:35 UTC	TCP	640 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:640 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit/552.53 (… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 640 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit/552.53 (KHTML, like Gecko) Chrome/55.0.2576 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:640 User-Agent: Mozilla/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit/552.53 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:640 User-Agent: Mozilla/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit/552.53 (KHTML, like Gecko) Chrome/55.0.2576 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "2372db5d87d7702e41b4a67d2c43fdf8c57da738", "http_host_hash": "a6e2472d83d551a54a33fa06a9b70ebbc28797c7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.400633173703259, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 640, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "094d78a10a0fdeb24b2c27308effb5907df51187", "event_fingerprint": "2199f4385e66c45a842f9c584e0ddc561552601e", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c503758aa75fc58f87a87e079158aa9e", "payload_hash": "248116d1daa808a56967b287a612631d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 640, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39b8379de5f76bc114d7d2b1bf7ea6117f3b12cd", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:640 \u00b7 (tentative d'exploit)", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 640, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gecko) Chrome\/55.0.2576 Safari\/537.36", "port": 640, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:640 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:640\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_1; Win64; x64) AppleWebKit\/552.53 (KHTML, like Gec", "target_port_label": "640 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "640" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 15:52:17 UTC	TCP	1745 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1745 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1745 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:1745 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "744553409378aecd6cf246dba5ed3ea33228045d", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.941893094593416, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1745, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "90a0b2e4430a33a9ff6d8438ee5b7874d4e4d683", "event_fingerprint": "9d6d2b64c318c7d189d29b0299f5ab0673b047d2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "db49fc84d1c391b5e7e413f63a0efb7f", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 1745, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0b9a2c60c9cfc4746172fae1b63c063fe503410a", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1745, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1745" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 15:52:17 UTC	TCP	1745 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1745 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1745 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1745 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "744553409378aecd6cf246dba5ed3ea33228045d", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926399213550653, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1745, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "90a0b2e4430a33a9ff6d8438ee5b7874d4e4d683", "event_fingerprint": "074e18a7505081c1a87d1c8dd9e6f0618bd4c9f3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "278be95096a7aba29bce11fe9388b9b4", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 1745, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12734689211ac8e3166272da36e41819fe7c0f72", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1745, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1745" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 15:52:17 UTC	TCP	1745 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1745 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1745 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1745 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "744553409378aecd6cf246dba5ed3ea33228045d", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.985494384857888, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1745, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "90a0b2e4430a33a9ff6d8438ee5b7874d4e4d683", "event_fingerprint": "fba0cc899eb19261cfea2b32684eca0043052d03", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "89fbae48672a5b39da5310541c90ffdf", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1745, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62ec3b37c913a3be776d402b1b22fc73e5d8075e", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1745, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1745 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1745" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 15:52:16 UTC	TCP	1745 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1745 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/597.54 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1745 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/597.54 (KHTML, like Gecko) Chrome/55.0.1428 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1745 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/597.54 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1745 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/597.54 (KHTML, like Gecko) Chrome/55.0.1428 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "5d8593ba92646dda441f9c71fafb0f75c5fe72ab", "http_host_hash": "744553409378aecd6cf246dba5ed3ea33228045d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.437285982266101, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1745, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7032e6cdcc19e34e3c411c19a30028b01bd97e14", "event_fingerprint": "2e0687e7bf3523c6ba44e2ce6bd247935a080ade", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0283508245b60f774a38cd2edb60f3d9", "payload_hash": "232949cd2c3c1b47e4b0ca840e5c401b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1745, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f2462c8817654582697335aa2efd6fe7c572457", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome", "attack_vector": "exploit attempt \u00b7 via HTTP:1745 \u00b7 (tentative d'exploit)", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1745, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome\/55.0.1428 Safari\/537.36", "port": 1745, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1745 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1745\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/597.54 (KHTML, like Gecko) Chrome", "target_port_label": "1745 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1745" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 14:00:41 UTC	TCP	4087 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4087 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4087 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:4087 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fcb78616babf4665fa5fc03b2a03a99e4c3cdbd7", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 5.014142325131195, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4087, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "d46699970aad3b00b5f0f05af81bbac1b058ad4e", "event_fingerprint": "247ea7f4155a4cd7ecd883ba813e82593d9b45c3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "29f60d1db1a041fd7d1f6cec25a89f9a", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 4087, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e8606126dbb6828e553b9197194b8fabfb7d467", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4087, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 14:00:41 UTC	TCP	4087 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4087 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4087 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:4087 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fcb78616babf4665fa5fc03b2a03a99e4c3cdbd7", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.955276337346148, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4087, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "d46699970aad3b00b5f0f05af81bbac1b058ad4e", "event_fingerprint": "c8705b1a8c351ba1d0de15ed4a912e9442372943", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "1a9342884dffa96e350ce5bd3ff3d935", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 4087, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f77e29358da435e4366e1e83a38f12fe1230e40f", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4087, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
16/06/2026 14:00:40 UTC	TCP	4087 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4087 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit/597.4… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4087 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit/597.41 (KHTML, like Gecko) Chrome/83.0.1430 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4087 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit/597.41 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4087 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit/597.41 (KHTML, like Gecko) Chrome/83.0.1430 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "871a6780464537482156ec9d2c17728965c5c228", "http_host_hash": "fcb78616babf4665fa5fc03b2a03a99e4c3cdbd7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.410770024393673, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4087, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8d1f892bff44c7a044cc74e0351f9f7cd7e6d69b", "event_fingerprint": "057ce40dac2797718e2b401db3e7164dd8e07e66", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "92405ea8fa07144e470784a8431f9d22", "payload_hash": "e44328059c3ddcc2e73e0fe499788138", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4087, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c072c88ccde9484e1e75f7bf994b04ded4b22cc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:4087 \u00b7 (tentative d'exploit)", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4087, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like Gecko) Chrome\/83.0.1430 Safari\/537.36", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4087 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1_2) AppleWebKit\/597.41 (KHTML, like", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
16/06/2026 14:00:40 UTC	TCP	4087 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4087 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4087 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4087 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fcb78616babf4665fa5fc03b2a03a99e4c3cdbd7", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.970541034866724, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4087, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "d46699970aad3b00b5f0f05af81bbac1b058ad4e", "event_fingerprint": "23d64ac3b468a67c203207ee6057f725943c9f72", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "7f48a872c622bfdfef1ed09dcf6bb70b", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 4087, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ce1181f00b3ff95e6608c66db00b49458a07af24", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4087, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4087 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4087\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
16/06/2026 05:51:54 UTC	TCP	261 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:261 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 261 Chemin / cible — Service TLS Payload ��!g`�y��ۉ�� 3iTmp,�y0$u��Qk �$��,�V[�~��C�ҥ��hUlݫ&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��!g`�y��ۉ��3iTmp,�y0$u��Qk �$��,�V[�~��C�ҥ��hUlݫ&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��!g`�y��ۉ�� 3iTmp,�y0$u��Qk �$��,�V[�~��C�ҥ��hUlݫ&�+�/�,�0̨̩� �� /5� � + 3&$ ��G܌� ��t��{��r]6钖��d�E� Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.831088968632112, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "US", "dst_port": 261, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f2308b7a3f7855a6a7c98fd3978c8e303f209012", "event_fingerprint": "4f479167514a063335b59882ec18606d82cb43a1", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "647663bbcbe88af392afab8564008651", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 261, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!g`\u000f\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd\f3\u001diTmp,\ufffdy\u00110$u\ufffd\ufffd\u0012Qk \ufffd$\ufffd\ufffd\ufffd,\ufffdV\u000f[\ufffd~\ufffd\u001d\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!g`\u000f\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd\f3\u001diTmp,\ufffdy\u00110$u\ufffd\ufffd\u0012Qk \ufffd$\ufffd\ufffd\ufffd,\ufffdV\u000f[\ufffd~\ufffd\u001d\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdG\u070c\ufffd\r\ufffd\ufffdt\ufffd\ufffd{\u0006\ufffd\ufffd\ufffdr]6\u0002\u9496\ufffd\ufffd\ufffdd\ufffdE\ufffd\u0014", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!g`\u000f\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd\f3\u001diTmp,\ufffdy\u00110$u\ufffd\ufffd\u0012Qk \ufffd$\ufffd\ufffd\ufffd,\ufffdV\u000f[\ufffd~\ufffd\u001d\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "216fd84483ea41695d1868dccb233539a8232fe4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!g`\u000f\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd\f3\u001diTmp,\ufffdy\u00110$u\ufffd\ufffd\u0012Qk \ufffd$\ufffd\ufffd\ufffd,\ufffdV\u000f[\ufffd~\ufffd\u001d\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 261, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd!g`\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd3iTmp,\ufffdy0$u\ufffd\ufffdQk \ufffd$\ufffd\ufffd\ufffd,\ufffdV[\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:261 \u00b7 (sonde \/ probe)", "target_port_label": "261 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 261, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003!g`\u000f\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd\f3\u001diTmp,\ufffdy\u00110$u\ufffd\ufffd\u0012Qk \ufffd$\ufffd\ufffd\ufffd,\ufffdV\u000f[\ufffd~\ufffd\u001d\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 261, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:261 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd!g`\ufffdy\ufffd\ufffd\u06c9\ufffd\ufffd3iTmp,\ufffdy0*$u\ufffd\ufffdQk \ufffd$\ufffd\ufffd\ufffd,\ufffdV[\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\u04a5\ufffd\ufffdhUl\u076b&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "261 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "261" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:261", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
16/06/2026 05:51:54 UTC	TCP	261	—	Sonde port Sonde port · port 261 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 261 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 261, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "fb2b5fbb6bd2cd3687d0c2e27ae811debceca771", "event_fingerprint": "ea8ba47f7c75799ad2c56aa01dd86a69dbc26d33", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 261, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "845aa9ba1ac350b37a17d39fab1c96ea17093062", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 261 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 261 \u00b7 (sonde \/ probe)", "target_port_label": "261", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 261, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 261 }, "attack_vector": "Sonde port \u00b7 port 261 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "261", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "261" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:261", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
16/06/2026 05:51:53 UTC	TCP	261 · HTTP	http	Sonde port 261/TCP port 261 tcp · via HTTP:261 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 261 Chemin / cible / Preuve honeypot — Sonde port 261/TCP Connexion détectée sur le port 261 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_261_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 261, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "f13c938d6a6223a0c28d95b33ff4982112d7ad4b", "event_fingerprint": "fecd21ef4b02bbe736a6cec840b72b92c571153c", "classification_reason": "Type \u00ab port_261_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 261, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_261_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "751ffac1a71d2dc83a96199afc0da2af80796032", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 261, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 261 tcp \u00b7 via HTTP:261 \u00b7 (sonde \/ probe)", "target_port_label": "261 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_261_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_261_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 261, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 261, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 261 tcp \u00b7 via HTTP:261 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "261 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "261" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:261" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ] }
16/06/2026 05:51:47 UTC	TCP	261	—	Sonde port Sonde port · port 261 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 261 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 261, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "fb2b5fbb6bd2cd3687d0c2e27ae811debceca771", "event_fingerprint": "ea8ba47f7c75799ad2c56aa01dd86a69dbc26d33", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 261, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c68727b95f1d9471e4917d05aeae77e2e4ec9d14", "protocol_details": { "port": 261 }, "attack_vector": "Sonde port \u00b7 port 261 \u00b7 (sonde \/ probe)", "target_port_label": "261", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 261, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 261 }, "attack_vector": "Sonde port \u00b7 port 261 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "261", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "261" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
15/06/2026 23:33:47 UTC	TCP	266 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:266 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 266 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:266 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "434e608e326ce45a69ee759724ef879c4ccf60e1", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.904952384902521, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 266, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "9066ce3f49ccaf8307bc362e6e88986b1d0ea063", "event_fingerprint": "a499d694072424cade071465374384fc3e6531a0", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f3effe33baccf90d7cb504cf61a7c17e", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 266, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef6b627031a10a93d02e2e33c7b14a3621be5a37", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 266, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "266" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 23:33:47 UTC	TCP	266 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:266 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 266 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:266 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "434e608e326ce45a69ee759724ef879c4ccf60e1", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.948902485489108, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 266, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "9066ce3f49ccaf8307bc362e6e88986b1d0ea063", "event_fingerprint": "45fc4ebfc900ed1bdb5336545787d7436a33f7ad", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "d95b986aff4d5cba131ff819baa7ccdb", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 266, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "923be5ec2a990e1f4841695fa81f5bef9d6f4619", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 266, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "266" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 23:33:47 UTC	TCP	266 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:266 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 266 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:266 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "434e608e326ce45a69ee759724ef879c4ccf60e1", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.889128722349326, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 266, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "9066ce3f49ccaf8307bc362e6e88986b1d0ea063", "event_fingerprint": "cf494821feb10fff1d0bf370ecbf52a45707dd9c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "2c1d22b152159a0ebd1d806d3ddf89e0", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 266, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4791ecd0ca48416d6d2ebe5fb7fc0a4222da919", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 266, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:266 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "266" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 23:33:45 UTC	TCP	266 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:266 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit/577.5… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 266 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit/577.53 (KHTML, like Gecko) Chrome/70.0.226 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:266 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit/577.53 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:266 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit/577.53 (KHTML, like Gecko) Chrome/70.0.226 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "b10579464774c65a8f5bb79dba6dad3466c1b48e", "http_host_hash": "434e608e326ce45a69ee759724ef879c4ccf60e1", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.361632183436376, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 266, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d1c0899e5fe9ee437762584c6651b5252da04afb", "event_fingerprint": "f78e348a15cfd7ff67340c2ad0a5a9cd4ef27a0a", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "11472bc7c8d5935c030d24275f087ed2", "payload_hash": "6952a25c862024d2017adabc0976383e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 266, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f48bcd01082dddb0fbd592f3cbbf20b91c34999", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:266 \u00b7 (tentative d'exploit)", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 266, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like Gecko) Chrome\/70.0.226 Safari\/537.36", "port": 266, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:266 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:266\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 9_0_2) AppleWebKit\/577.53 (KHTML, like", "target_port_label": "266 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "266" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 00:28:46 UTC	TCP	4568 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4568 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4568 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:4568 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "77d9a805fa890187a1ebb62f8bd772150b1df766", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.954668018993708, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4568, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "032a8d14ddf8f3d8556e308fc39363bea7a05e10", "event_fingerprint": "42e8796278d68abbf8c7279e6e3984e9b6f08232", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "c0a9b6ceb7a9c56a94a3ecb31b63d335", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 4568, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "46c0010ca31d028fe8ef26b363f01cfecb86e6a9", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4568, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4568" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
15/06/2026 00:28:46 UTC	TCP	4568 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4568 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4568 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:4568 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "77d9a805fa890187a1ebb62f8bd772150b1df766", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.939276337346147, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4568, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "032a8d14ddf8f3d8556e308fc39363bea7a05e10", "event_fingerprint": "2a6d7b41a82e4516af01e2367d8bb5565e519579", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "1bb4d4cacc50be9b6ddcab6f0e2a8445", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 4568, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b84f566afae8a98b9ff5c4771ba8107b4991150a", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4568, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4568" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 00:28:46 UTC	TCP	4568 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:4568 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4568 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:4568 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "77d9a805fa890187a1ebb62f8bd772150b1df766", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.99826930925818, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4568, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "032a8d14ddf8f3d8556e308fc39363bea7a05e10", "event_fingerprint": "bcfe83b6d6482f6e5c2a25d098e19946800d99f3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "4a1280e87248c2d72490ececd3b6838c", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 4568, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "98573d9a6e800cebdc5dca7090cb646d48c60450", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4568, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:4568 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4568" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
15/06/2026 00:28:45 UTC	TCP	4568 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:4568 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit/584.40 (KH… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4568 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit/584.40 (KHTML, like Gecko) Chrome/94.0.2217 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4568 User-Agent: Mozilla/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit/584.40 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:4568 User-Agent: Mozilla/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit/584.40 (KHTML, like Gecko) Chrome/94.0.2217 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "a2f974523bbf8fbfab0175e2d6a517a375bbf86a", "http_host_hash": "77d9a805fa890187a1ebb62f8bd772150b1df766", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 207, "payload_entropy": 5.434964683945351, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 4568, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2fb76044c57a7bc96f74dd57d559a0cdbf9372eb", "event_fingerprint": "8587143546eb08ac7ac8888ee94d322ef174bd8b", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1e770690a48b2d58e3eb4d63805221e4", "payload_hash": "5b477428b3cf6626160886defa668575", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 4568, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Geck", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Geck", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "530f4f36c66e6d72ff0506629f113bb879525353", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Geck", "attack_vector": "exploit attempt \u00b7 via HTTP:4568 \u00b7 (tentative d'exploit)", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 4568, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Gecko) Chrome\/94.0.2217 Safari\/537.36", "port": 4568, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:4568 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4568\r\nUser-Agent: Mozilla\/5.0 (Windows NT 7_0; Win64; x64) AppleWebKit\/584.40 (KHTML, like Geck", "target_port_label": "4568 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "4568" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 19:26:00 UTC	TCP	209 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:209 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 209 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:209 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "be432038d9832d27022ab68cf02bedf0da0a2a27", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926991484919829, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 209, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "db1195d10d5033667b9e66eece59d442d12acc06", "event_fingerprint": "2d50516c54c58e0edb12134b2322b4ce65a36e76", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "2b4fc43472a6937db93fd8f014b35fd1", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 209, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2fcb7537f4645437830f08f410639309c8f381f0", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 209, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "209" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
14/06/2026 19:26:00 UTC	TCP	209 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:209 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 209 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:209 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "be432038d9832d27022ab68cf02bedf0da0a2a27", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.970941585506416, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 209, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "db1195d10d5033667b9e66eece59d442d12acc06", "event_fingerprint": "72b20e9a7cea2425f7e50ba869801238bdf0cf7a", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "fbce83f2b53d95fad61aef9b9e3d497c", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 209, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f1c6f90fd8900bc3c52a5b05b4e65641cac244f", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 209, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "209" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
14/06/2026 19:26:00 UTC	TCP	209 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:209 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 209 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:209 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "be432038d9832d27022ab68cf02bedf0da0a2a27", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 124, "payload_entropy": 4.911345557044192, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 209, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "db1195d10d5033667b9e66eece59d442d12acc06", "event_fingerprint": "f75f39f2d132ebc352ff031478b6769931ad38cf", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "998adb301d38a8d4ef77c26f7fd8d336", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 209, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "830eaabe1b05a674e6aed7a67369507dab25ab42", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 209, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:209 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "209" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
14/06/2026 19:25:59 UTC	TCP	209 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:209 · (tentative d'exploit)	Élevée	Moyen · 47
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/580.47 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 209 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 47 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/580.47 (KHTML, like Gecko) Chrome/99.0.298 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:209 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/580.47 (KHTML, like Gecko) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:209 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/580.47 (KHTML, like Gecko) Chrome/99.0.298 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "abd67d9ee5eea84f1ca973105cd11f101fe0cdfc", "http_host_hash": "be432038d9832d27022ab68cf02bedf0da0a2a27", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 196, "payload_entropy": 5.460986110660185, "port_category": "well_known", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 209, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f638f6aef0dd481d8d5e1543efc6776b30f7e981", "event_fingerprint": "4985ba78708ceb0d624b4fd85a2cedbd60589dac", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "fbfcec7c70346b41ca8b1dcaea788fe3", "payload_hash": "b67fc91fca1b06ab28cbffdb5f7468a2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 209, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3e28fdbaf5af573c7102f8df25116a1a7ea5d4b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:209 \u00b7 (tentative d'exploit)", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 209, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/99.0.298 Safari\/537.36", "port": 209, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:209 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:209\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/580.47 (KHTML, like Gecko) Chrome\/", "target_port_label": "209 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "209" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 96 }
14/06/2026 19:16:30 UTC	TCP	10175	—	Sonde port Sonde port · port 10175 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10175 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 10175, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "94d81bf6fafc50307cec86bddc6a3304346fe220", "event_fingerprint": "98a5a35215c77900426416ea71856bc7a7bf2ed5", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 10175, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "102b5caf7d037d5b2861605edded3c5ac88f114a", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 10175 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 10175 \u00b7 (sonde \/ probe)", "target_port_label": "10175", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 10175, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 10175 }, "attack_vector": "Sonde port \u00b7 port 10175 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "10175", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "10175" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10175", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
14/06/2026 19:16:29 UTC	TCP	10175 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:10175 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10175 Chemin / cible — Service TLS Payload ��P��@c5FG�q�b^ro��J �Y��R{�(��7A��7�K�� v�{� &�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��P��@c5FG�q�b^ro��J �Y��R{�(��7A��7�K�� v�{� &�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��P��@c5FG�q�b^ro��J �Y��R{�(��7A��7�K�� v�{� &�+�/�,�0̨̩� �� /5� � + 3&$ ��X�-d�O�Ng��d�#d��i�0�EQ樢�� Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.714742207421794, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "US", "dst_port": 10175, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "40cc548791eb83c0c258025f66f80eef8cca13b9", "event_fingerprint": "ee7b9c69de23b003608e1d45273826c4181d6dfa", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "9eaf04030a61c60a4989a52cd2433ce1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 10175, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\u001c\ufffdP\u0000\ufffd\ufffd\u001e@\u000ec5FG\ufffdq\ufffdb^ro\ufffd\ufffd\u0002\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\u0000\ufffd7\ufffdK\ufffd\ufffd\ufffd \u000e\ufffdv\b\ufffd{\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\u001c\ufffdP\u0000\ufffd\ufffd\u001e@\u000ec5FG\ufffdq\ufffdb^ro\ufffd\ufffd\u0002\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\u0000\ufffd7\ufffdK\ufffd\ufffd\ufffd \u000e\ufffdv\b\ufffd{\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdX\ufffd-\u0017d\ufffdO\ufffdNg\ufffd\ufffdd\ufffd#d\ufffd\ufffdi\ufffd0\ufffdEQ\u6a22\ufffd\ufffd\u0003", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\u001c\ufffdP\u0000\ufffd\ufffd\u001e@\u000ec5FG\ufffdq\ufffdb^ro\ufffd\ufffd\u0002\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\u0000\ufffd7\ufffdK\ufffd\ufffd\ufffd \u000e\ufffdv\b\ufffd{\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbfbf1b5e111e3f578576a102e45ff0694e285c5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\u001c\ufffdP\u0000\ufffd\ufffd\u001e@\u000ec5FG\ufffdq\ufffdb^ro\ufffd\ufffd\u0002\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\u0000\ufffd7\ufffdK\ufffd\ufffd\ufffd \u000e\ufffdv\b\ufffd{\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 10175, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd@c5FG\ufffdq\ufffdb^ro\ufffd\ufffd\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\ufffd7\ufffdK\ufffd\ufffd\ufffd \ufffdv\ufffd{\ufffd &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:10175 \u00b7 (sonde \/ probe)", "target_port_label": "10175 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 10175, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\u001c\ufffdP\u0000\ufffd\ufffd\u001e@\u000ec5FG\ufffdq\ufffdb^ro\ufffd\ufffd\u0002\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\u0000\ufffd7\ufffdK\ufffd\ufffd\ufffd \u000e\ufffdv\b\ufffd{\ufffd \u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 10175, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:10175 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd@c5FG\ufffdq\ufffdb^ro\ufffd\ufffd\ufffdJ \ufffdY\ufffd\ufffd\ufffdR{\ufffd(\ufffd\ufffd7A\ufffd\ufffd7\ufffdK\ufffd\ufffd\ufffd \ufffdv\ufffd{\ufffd &\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "10175 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "10175" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:10175", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
14/06/2026 19:16:28 UTC	TCP	10175 · HTTP	http	Sonde port 10175/TCP port 10175 tcp · via HTTP:10175 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10175 Chemin / cible / Preuve honeypot — Sonde port 10175/TCP Connexion détectée sur le port 10175 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_10175_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 10175, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "22a4a9503c4da73f294668f9abe2db4a4222a344", "event_fingerprint": "fc0202a7189be4e08a0a35fc4ef3e3054d6ae20a", "classification_reason": "Type \u00ab port_10175_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10175, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_10175_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7bbcc63773bb64be9462c52a6954f7a4adfe2de1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 10175, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 10175 tcp \u00b7 via HTTP:10175 \u00b7 (sonde \/ probe)", "target_port_label": "10175 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_10175_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_10175_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10175, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 10175, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 10175 tcp \u00b7 via HTTP:10175 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "10175 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10175" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:10175" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ] }
14/06/2026 19:16:22 UTC	TCP	10175	—	Sonde port Sonde port · port 10175 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10175 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 10175, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "94d81bf6fafc50307cec86bddc6a3304346fe220", "event_fingerprint": "98a5a35215c77900426416ea71856bc7a7bf2ed5", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 10175, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "48cc8d43b0a653ac61dd2fa0485f3f17d69107d2", "protocol_details": { "port": 10175 }, "attack_vector": "Sonde port \u00b7 port 10175 \u00b7 (sonde \/ probe)", "target_port_label": "10175", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 10175, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 10175 }, "attack_vector": "Sonde port \u00b7 port 10175 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "10175", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "10175" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "behavior_alert_count": 1, "behavior_priority": 72 }
14/06/2026 18:24:54 UTC	TCP	1933 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1933 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1933 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1933 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "ae73cd76fce0ebc5a9a7465cd3a31a5a18aaa0d5", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.887561189772466, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1933, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "e091e3920fe2c1b3656c68f2ea5c8357c1f0c1b5", "event_fingerprint": "38fb95e46e187542e8930a1ddb4d84db5deea489", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f6f320506fb96c9324b782be93904653", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 1933, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "252901d2d8caf2c39cbf85d3723de6e27a90aca1", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1933, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1933" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
14/06/2026 18:24:54 UTC	TCP	1933 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1933 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1933 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1933 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "ae73cd76fce0ebc5a9a7465cd3a31a5a18aaa0d5", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.946964599363655, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1933, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "e091e3920fe2c1b3656c68f2ea5c8357c1f0c1b5", "event_fingerprint": "1cd7b50bbff335e827904fca7ef5c2458a148750", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "bd1b7ba44b3d318678182497d55e54b5", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1933, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6cf1961bba9803e7adb5bb129353a9be1b3e647d", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1933, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1933" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
14/06/2026 18:24:53 UTC	TCP	1933 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1933 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/591.36 (… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1933 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/591.36 (KHTML, like Gecko) Chrome/76.0.2535 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1933 User-Agent: Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/591.36 (KHTML, like Ge Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1933 User-Agent: Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/591.36 (KHTML, like Gecko) Chrome/76.0.2535 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "86e84ec2c6d7a374452378ffa64cefe640dd36b6", "http_host_hash": "ae73cd76fce0ebc5a9a7465cd3a31a5a18aaa0d5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.407242915718828, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1933, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b8bdf9063ad284f9d79ce2c88f8a979295189cd5", "event_fingerprint": "0430b71c884adb71dcd44a992f90b2fbdeacae14", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ccca803ab4fd7cb7abfcd260e53e2e31", "payload_hash": "534066996515d10cb1c690c26082fc34", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1933, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Ge", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Ge", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e1a977cb8cc51152ed49ef3d452b64330c6be96", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Ge", "attack_vector": "exploit attempt \u00b7 via HTTP:1933 \u00b7 (tentative d'exploit)", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1933, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Gecko) Chrome\/76.0.2535 Safari\/537.36", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1933 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit\/591.36 (KHTML, like Ge", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1933" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
14/06/2026 18:24:53 UTC	TCP	1933 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1933 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1933 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:1933 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "ae73cd76fce0ebc5a9a7465cd3a31a5a18aaa0d5", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.903363309099183, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 1933, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "e091e3920fe2c1b3656c68f2ea5c8357c1f0c1b5", "event_fingerprint": "069753d50996005b54fa24a3e0b8bdca19665cf6", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "38cc531f7cd15c7eda880f99f3327135", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 1933, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d0898500d1c63fbbf8f839b26168c11a8d1e2c4", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1933, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1933, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1933 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1933\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1933 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1933" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
13/06/2026 17:25:08 UTC	TCP	19194 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:19194 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19194 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:19194 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "54add0a8fe9be1dd3a1269959addb89fa7b3d5ba", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.938614805102013, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 19194, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c2f85a3eee8f8d7ee8a7e3ca9c316c79f18d0970", "event_fingerprint": "a8c9f8ee7aa2e9516bf55bc9e7111fb786a95d3a", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "5bde931c115488bafb62d9a419fcf947", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 19194, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fa0d37e0c13df6d83637cfb7143a0a467c7c8325", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19194, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19194" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
13/06/2026 17:25:08 UTC	TCP	19194 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:19194 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19194 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:19194 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "54add0a8fe9be1dd3a1269959addb89fa7b3d5ba", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.981872778120306, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 19194, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c2f85a3eee8f8d7ee8a7e3ca9c316c79f18d0970", "event_fingerprint": "8700ea1ef15d613e5c1ab4166a11daf8b035d349", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "d7761367024e1fef59a024f76246f86c", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 19194, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "428ea92c8309a391c698550166df8ba0e42df7cd", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19194, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19194" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
13/06/2026 17:25:08 UTC	TCP	19194 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:19194 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19194 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:19194 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "54add0a8fe9be1dd3a1269959addb89fa7b3d5ba", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.923126999541032, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 19194, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c2f85a3eee8f8d7ee8a7e3ca9c316c79f18d0970", "event_fingerprint": "89013a41e412e0fe6b0ad34caaa079cd147227a7", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "c1202db008ecc2857b04febcbe30e665", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 19194, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cfc728c44c809a75137e94d18b1b81bcaabfa34", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19194, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:19194 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19194" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
13/06/2026 17:25:07 UTC	TCP	19194 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:19194 · (tentative d'exploit)	Élevée	Moyen · 44
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/575.43 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 19194 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 44 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/575.43 (KHTML, like Gecko) Chrome/56.0.321 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19194 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/575.43 (KHTML, like Gecko) Chrom Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:19194 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/575.43 (KHTML, like Gecko) Chrome/56.0.321 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "105a150b7c23b143f9adc3dfcfe805a72edc560a", "http_host_hash": "54add0a8fe9be1dd3a1269959addb89fa7b3d5ba", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.430705331211522, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "US", "dst_port": 19194, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ceeade493fdd1640c73913a1e4480519877ac145", "event_fingerprint": "d3f6a72f9f351e2afcf0a457acc089c834f88413", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0d0833f3d3088b146e27d6ed9fc43c86", "payload_hash": "80c7ece50e3154705a79f8c49beeb0c0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 19194, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrom", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrom", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrom", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ad7c7d6b390e3755de83c4330992ee40e3162e8c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrom", "attack_vector": "exploit attempt \u00b7 via HTTP:19194 \u00b7 (tentative d'exploit)", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 19194, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrome\/56.0.321 Safari\/537.36", "port": 19194, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:19194 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:19194\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/575.43 (KHTML, like Gecko) Chrom", "target_port_label": "19194 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "19194" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }

165.154.162.212

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence