{"ip":"171.231.191.125","exported_at":"2026-06-17T16:13:30+00:00","period_days":30,"metrics":{"events7d":92,"distinct_ports":1,"distinct_classifications":1,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":null,"max_risk_score":50,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"investigate","confidence":1,"risk_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":36,"novelty":25},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1046","top_mitre_technique":"T1046","top_mitre_count":92,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":36,"novelty":25,"risk_score":50},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["rafale_auth"],"correlation_flags_labels_fr":["Rafale auth"],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["Client SSH libssh\/paramiko (scanner)","pat-0391","Upstream"],"tags_summary":["INT-ssh-libssh-ua","pat-0391","INT-upstream"],"attack_vector":"Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)","protocol_details":{"ssh_banner":"SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\/\ufffd\ufffd\ufffd[\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp","payload_preview":"SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\/\ufffd\ufffd\ufffd[\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp","port":22,"service":"ssh","service_label_fr":"SSH"},"protocol_summary_fr":"SSH: SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\/\ufffd\ufffd\ufffd[\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-s\u2026 \u00b7 Payload SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\/\ufffd\ufffd\ufffd[\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha\u2026 \u00b7 SSH:22","evidence_snippet":"SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\/\ufffd\ufffd\ufffd[\ufffd\ufffdv*\u069b\ufffd2\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp","target_port_label":"22 \u00b7 SSH","emulator_service":"ssh","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%","classification_reason_label_fr":"Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\/\ufffd\ufffd\ufffd[\ufffd\ufffdv*\u069b\ufffd2\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp"},"events":[{"id":9437072,"ip":"171.231.191.125","ts":"2026-06-17 00:28:29.000000","proto":"tcp","src_port":36476,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.777469458111501, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022add04e07ee171ab136ecb6610609076c\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ec05452532b101b1f0750d962f81f1eedbf31551\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\/\ufffd\ufffd\ufffd[\ufffd\ufffdv*\u069b\ufffd2\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\/\ufffd\ufffd\ufffd[\\u000f\ufffd\ufffdv*\u069b\ufffd2\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\/\ufffd\ufffd\ufffd[\ufffd\ufffdv*\u069b\ufffd2\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 1.0, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437069,"ip":"171.231.191.125","ts":"2026-06-17 00:28:24.000000","proto":"tcp","src_port":36468,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.768176200514971, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cfd2c7fbc5387e1d108bce4d62ebd189\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f5e640a1d5cb8b829a534e00888fa7651e0c3400\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\\\u0022z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0015\\u0011\\\u0022\\u0002z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\\\u0022z\ufffdF2h\ufffd\ufffdpa\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437067,"ip":"171.231.191.125","ts":"2026-06-17 00:28:23.000000","proto":"tcp","src_port":36462,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.781081361893417, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d00a1b9da2b1e29b98f4906b4079712f\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002288f78815413a7d09789486f27cf6471c18463404\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdzI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014zI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\\u0018\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdzI\ufffd\ufffdk\ufffdZgP\ufffdW\u003C\ufffdU\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437048,"ip":"171.231.191.125","ts":"2026-06-17 00:27:50.000000","proto":"tcp","src_port":42882,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.764827949653702, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220be61a75dcaec2ccafac51fb145eb599\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227bcf56113830a3d260c74afc66ea72b4ed6ab990\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd~-\ufffdo\ufffd(s\ufffdl\ufffd\ufffdZ\ufffd5\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 1.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437045,"ip":"171.231.191.125","ts":"2026-06-17 00:27:47.000000","proto":"tcp","src_port":42870,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.7779610569832425, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002242d3c4e69934dee09d8d4c7464c5e255\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222b87634ebcd37ac68f252ee48a1319527e365c3b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd`=3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\u0230\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 16, \u0022ssh_auth_burst_rate\u0022: 1.14}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437041,"ip":"171.231.191.125","ts":"2026-06-17 00:27:43.000000","proto":"tcp","src_port":42862,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.7728448520872595, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228b55d35021455ff2f1458b0d04ed69bb38e1a8a1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cbecf7d2c5f723235af6e9bde658f4fd\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ceb6cf4e2ac07ac2687de8e1bc1dbe975ba96758\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdR+U\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014R\\b+\\bU\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\\u0005\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdR+U\ufffdj\ufffd\ufffd\ufffd\ufffd1m\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 16, \u0022ssh_auth_burst_rate\u0022: 1.14}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437040,"ip":"171.231.191.125","ts":"2026-06-17 00:27:41.000000","proto":"tcp","src_port":55994,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.772520444412562, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223ff0f2f55ba36e1f61c9d375ccc7720c\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f7046da6aa6ecb03c61fc0f6b29dfa82b401451d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd:\ufffd\ufffd\ufffdA:\ufffdKIjf\\nR\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 16, \u0022ssh_auth_burst_rate\u0022: 1.14}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437035,"ip":"171.231.191.125","ts":"2026-06-17 00:27:38.000000","proto":"tcp","src_port":55962,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.7717675229324055, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b45bd0c72e3f4ee1c2224dbb599c8c32\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228163b0e098e938019b925546bc62d936d99116d3\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd}l\ufffd\ufffdREd\ufffd=`Z\u0026tx\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014}l\ufffd\ufffdRE\\fd\ufffd=`Z\u0026t\\bx\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd}l\ufffd\ufffdREd\ufffd=`Z\u0026tx\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.18}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437036,"ip":"171.231.191.125","ts":"2026-06-17 00:27:38.000000","proto":"tcp","src_port":55964,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.770581888420118, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228b55d35021455ff2f1458b0d04ed69bb38e1a8a1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ff0db1795f6c2440a6f10b5ec6c4e570\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022987bc81eed404945354c16a0c68ea361eff1e4c5\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00142\ufffd\ufffd\ufffd\ufffd\\u000f\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd0y\ufffd\ufffdu\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 1.27}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437030,"ip":"171.231.191.125","ts":"2026-06-17 00:27:33.000000","proto":"tcp","src_port":55942,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.775915196830388, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226bec0ebceaed4d62028c97be25d25bd0\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002205415803701720ecaaa0cde642054a7b43b22ecd\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdF\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014F\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\\u001f\ufffd\ufffd9\\u0006\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdF\ufffd\ufffde\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 1.09}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437031,"ip":"171.231.191.125","ts":"2026-06-17 00:27:33.000000","proto":"tcp","src_port":55956,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.777213380976054, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c79b32d2595682b13e30e16c05484d24\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229d9b236ec0aec350ec8ef47f9da5cfd3cab3bbe4\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd=6%\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\\u001b\ufffd=6%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\\\\\ufffd7\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd=6%\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.18}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437026,"ip":"171.231.191.125","ts":"2026-06-17 00:27:30.000000","proto":"tcp","src_port":49124,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.774273137849024, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002233f5a21a3af20c5bd8d65117118e67c5\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b91f7aa4bb84fd97475040bf70a4f4b2aa6c3a8d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd-\ufffd\u0027\ufffd\ufffd!\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0003-\ufffd\u0027\ufffd\ufffd\\u001f!\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd-\ufffd\u0027\ufffd\ufffd!\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 11, \u0022ssh_auth_burst_rate\u0022: 1.37}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437025,"ip":"171.231.191.125","ts":"2026-06-17 00:27:29.000000","proto":"tcp","src_port":49108,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.781434634479851, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002280da37ca401019f7fa39d370b8d7e69b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221693a399d1d49baec95ee3437345b401189c5fa9\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\u003C\ufffdAj\ufffdk\ufffd\ufffd\\t\ufffd\ufffdW\ufffdQ\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 10, \u0022ssh_auth_burst_rate\u0022: 1.43}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437017,"ip":"171.231.191.125","ts":"2026-06-17 00:27:27.000000","proto":"tcp","src_port":49076,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.772899063009674, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a6f3188966255dbba32fae2debdf64f3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022378cab038584ef4fdef35725a454c248b9237e1a\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdx\ufffdk\ufffd\ufffd5o\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0004\ufffd\\u0004\ufffd\\u0007x\ufffd\\u000ek\ufffd\ufffd5o\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdx\ufffdk\ufffd\ufffd5o\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.67}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437013,"ip":"171.231.191.125","ts":"2026-06-17 00:27:22.000000","proto":"tcp","src_port":49058,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.765573075655813, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022346ccb89036aae438dacfc2b6208eb9c\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022160f692d76df29f6e6697f276b721d1df8b0934b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\u07f6\ufffda\ufffd\ufffddcX)h\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\u07f6\ufffda\ufffd\ufffdd\\u0019cX\\u0011)\\u0000h\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\u07f6\ufffda\ufffd\ufffddcX)h\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 0.93}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9437007,"ip":"171.231.191.125","ts":"2026-06-17 00:27:17.000000","proto":"tcp","src_port":60168,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1422, \u0022payload_entropy\u0022: 4.893687405899984, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228b55d35021455ff2f1458b0d04ed69bb38e1a8a1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8a3726acfa7f4d0a60a8742871943db\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223125154bfb260e21f1cc5e259fbe14f8b61b0161\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\\\\\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\ufffd5\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\\\\\b\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\\u001d\ufffd5\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\\\\\ufffdWw\ufffd\ufffd\ufffdh\u05ae\ufffd\ufffd5\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 1.3}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1422},{"id":9436999,"ip":"171.231.191.125","ts":"2026-06-17 00:27:15.000000","proto":"tcp","src_port":60166,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.778714474813306, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e1ee97d286f7d70724b4b0aa097ae188\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002268fe7e547450612cca666bf2987a8efc31f39f78\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd|\ufffdQ\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\u003CeG\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 0.92}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436990,"ip":"171.231.191.125","ts":"2026-06-17 00:27:08.000000","proto":"tcp","src_port":52270,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.776939338767315, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e27e920508d7c6f463b2449ed0534fe4\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fdca2400e229aba0941e0b5008b94db688d83f91\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdS\ufffdQ\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014S\\u0007\ufffdQ\ufffda\\u0003\\u0017\ufffd\ufffd\ufffd\\u0010\\u000f\ufffd\\u000f\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdS\ufffdQ\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 0.93}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436993,"ip":"171.231.191.125","ts":"2026-06-17 00:27:08.000000","proto":"tcp","src_port":52286,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.7723698725906125, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228b55d35021455ff2f1458b0d04ed69bb38e1a8a1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228974bf46c32491bebcbb801f724906ff\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3ac17d304197d657633b4492a2172def4a4625e\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd@Qj\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd\\b@\\u0017Qj\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd0\u0026\ufffds\u00af=\ufffd\ufffd\ufffd@Qj\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 1.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce_burst\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436988,"ip":"171.231.191.125","ts":"2026-06-17 00:27:07.000000","proto":"tcp","src_port":52246,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.779866080796657, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022afa8e8da0ac6ca5c1134152d3dfb42e1\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002278a7f219a157affff320e5ffce067985d11f7c7f\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\ufffd%\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0013K\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\\u0005\ufffd%\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffd2\ufffdkR\ufffd\ufffd%\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 9, \u0022ssh_auth_burst_rate\u0022: 0.69}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436989,"ip":"171.231.191.125","ts":"2026-06-17 00:27:07.000000","proto":"tcp","src_port":52254,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.783729464355414, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e38f7cb25f733c92bbf52d5c59519287\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cdb2b518f4a2ce240ccc3a466d9a360f8796e2fc\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\\u0016\\u000f\ufffd\ufffd\ufffd\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd+=\ufffd\ufffd\/\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 0.92}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436984,"ip":"171.231.191.125","ts":"2026-06-17 00:27:02.000000","proto":"tcp","src_port":39118,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.775785690347643, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ea87169544a230ebd9f64c9e8684fd05\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d468af0b802dd6f06a4fb14f7a048cc160d0f28b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0007\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\\u0006\\u0019\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd$V\ufffd\u00f5\ufffda\ufffdV\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.75}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436981,"ip":"171.231.191.125","ts":"2026-06-17 00:26:58.000000","proto":"tcp","src_port":39106,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 1422, \u0022payload_entropy\u0022: 4.894164876711692, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223713e4a02fa04758aae757ce6105afb2\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002208e9da07f2a982544b63964e0d80f0b8300a4523\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\/\ufffd\ufffdmC\ufffd\ued4f\ufffd\u056e\ufffd\ufffde\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.57}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1422},{"id":9436979,"ip":"171.231.191.125","ts":"2026-06-17 00:26:54.000000","proto":"tcp","src_port":39100,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.777161105053079, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226945d8c07ec7720f2b7cd7f02016f6f3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229069dd3632ab7aa93fd5d3d52f6010a08c3ffa22\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdA\ufffd\ufffdy\ufffd`y\ufffd{\ufffd\u6b05\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdA\ufffd\\u001d\ufffdy\ufffd`y\ufffd\\u0003{\ufffd\u6b05\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdA\ufffd\ufffdy\ufffd`y\ufffd{\ufffd\u6b05\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.6}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436971,"ip":"171.231.191.125","ts":"2026-06-17 00:26:46.000000","proto":"tcp","src_port":52962,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.771009293146236, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022714f5b184b7d9f87cb1259b43f102893\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225187c3924779deffd56de603bf8260fdf0044b6d\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdm9+\ufffdN\ufffdiJx\u07dd\ufffdH\\\u0022\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.6}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436967,"ip":"171.231.191.125","ts":"2026-06-17 00:26:44.000000","proto":"tcp","src_port":52952,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.782399885445102, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b19f28d6f63d19f4e488e4fda2cb0a44\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b4e37317702d657a2d2a98cf92e4b4278d59c392\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd*W\ufffd\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd*\\u0018W\ufffd\\u000f\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\\u0002\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd*W\ufffd\ufffd\ufffdH\ufffd\u0391\ufffd\ufffd=\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436961,"ip":"171.231.191.125","ts":"2026-06-17 00:26:36.000000","proto":"tcp","src_port":45312,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.772878485346075, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022be6149d730cd0046297809950512a7ca\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224bf06786580e1394fcc2bd11b32004bd87c83789\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd \ufffd}\ufffdh\u0027\ufffdWo\\n\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014 \ufffd\\u0007}\ufffd\\u0006h\u0027\ufffdWo\\n\ufffd\\u000f\ufffd\\u0015\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd \ufffd}\ufffdh\u0027\ufffdWo\\n\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436950,"ip":"171.231.191.125","ts":"2026-06-17 00:26:26.000000","proto":"tcp","src_port":41570,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.780236659629849, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c4481cc0d0fc83ab8ad272600850e565\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227873ea82971dbd70d9227822d73ceb00ef0f4a76\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdEzI\ufffd\ufffd\ufffd\ufffd\ufffdX}\ufffdp\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdEzI\ufffd\ufffd\ufffd\\u0003\ufffd\ufffdX}\ufffdp\\u000e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdEzI\ufffd\ufffd\ufffd\ufffd\ufffdX}\ufffdp\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 0.86}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436940,"ip":"171.231.191.125","ts":"2026-06-17 00:26:20.000000","proto":"tcp","src_port":51212,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.765138955936516, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002275b57294eef10a552373108b59ff9bf3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022559aa2175c646901105f5d7978cbdefca3dc5cd5\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdo\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014o\\u0017\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdo\ufffd\ufffd\ufffd\ufffdh\u0026\ufffd\ufffdu?2o\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 10, \u0022ssh_auth_burst_rate\u0022: 1.25}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436937,"ip":"171.231.191.125","ts":"2026-06-17 00:26:17.000000","proto":"tcp","src_port":51210,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.7817989624249115, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b486ca17bf11c529c2fc13bb1ba417f9\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f5e98c15e44ca3da3a922bb841f7d5b9ac841cec\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\\u0005\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdqU\ufffd\ufffd\ufffdN\ufffd\u02ce\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 9, \u0022ssh_auth_burst_rate\u0022: 1.8}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436934,"ip":"171.231.191.125","ts":"2026-06-17 00:26:14.000000","proto":"tcp","src_port":51194,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.768092891340193, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223c3e1318b659008751c70699aa8e2b00\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d4277534d6d51e602b32c35e6de1617c61ec98b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd5\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u00145\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd5\ufffd\ufffdoxG\u07e0:H,\ufffd\ufffdj=y\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 3.98}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436930,"ip":"171.231.191.125","ts":"2026-06-17 00:26:12.000000","proto":"tcp","src_port":53766,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.771432833596146, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002296a975869a5f714dc8ff6b017dbb34b1\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c5d4b16b5ba185ce451c21995d3b42d1b073ad2c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdR.\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM,e\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u0014\ufffdR.\ufffd\ufffd\ufffd\\u0017\ufffd\ufffd\ufffdM,e\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdR.\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM,e\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 5, \u0022ssh_auth_burst_rate\u0022: 50.0, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436931,"ip":"171.231.191.125","ts":"2026-06-17 00:26:12.000000","proto":"tcp","src_port":53760,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.772537873770176, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022af0649c960e29f309d9059e570443c34\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022538d5352c49bcd2a33baa06d6f4e9b5a2b20eacb\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\\u000b\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\\t\ufffdCMv\ufffd\ufffd0i\ufffd\u066b8\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 60.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436911,"ip":"171.231.191.125","ts":"2026-06-17 00:25:56.000000","proto":"tcp","src_port":54930,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1422, \u0022payload_entropy\u0022: 4.889573019162193, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220d21b7b1de28b8dc2dfd8bfbb6411018\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223da2dff7b86d949d0b8106767484c81bf8a4872\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\ufffdp\ufffdeK\ufffds\ufffd_\ufffdz\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd\\u0015\ufffdp\ufffdeK\ufffds\ufffd\\u0012_\ufffdz\\u0011\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd\ufffdp\ufffdeK\ufffds\ufffd_\ufffdz\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 14, \u0022ssh_auth_burst_rate\u0022: 0.93, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1422},{"id":9436907,"ip":"171.231.191.125","ts":"2026-06-17 00:25:52.000000","proto":"tcp","src_port":41160,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.779964935407243, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f4a8da3daa90b4e7edf4afd263558ffa\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dff0bf1aebbf9acb9829f95faa16f04e74d32233\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\ufffdO9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\\u001b\ufffdO9\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd ]\ufffd\ufffd?\ufffd\ufffd_\u003C\ufffd\ufffdO9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 12, \u0022ssh_auth_burst_rate\u0022: 1.09}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436904,"ip":"171.231.191.125","ts":"2026-06-17 00:25:50.000000","proto":"tcp","src_port":41152,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 1422, \u0022payload_entropy\u0022: 4.894674566078035, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002292d021f0841f534a2bbf9b39ba499f82\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022030fe4326ef8277b954dd6524013db7951e7bcc9\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdeX\ufffd\ufffd\ufffd\u05ecG\u030c\ufffdU\ufffda\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014eX\ufffd\ufffd\ufffd\u05ecG\\u0004\u030c\ufffdU\ufffda\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdeX\ufffd\ufffd\ufffd\u05ecG\u030c\ufffdU\ufffda\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.89}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1422},{"id":9436906,"ip":"171.231.191.125","ts":"2026-06-17 00:25:50.000000","proto":"tcp","src_port":41144,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 24, \u0022payload_entropy\u0022: 3.7201755214643453, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224a45e4d33f97e8b4f72cec668436cd7874f21b44\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225a9a153066f82d9d0f12e1a026c6ec51\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002226cd5e9d9e07e27ed4775b7d343e3aa8f288e53c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 10, \u0022ssh_auth_burst_rate\u0022: 1.11}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022]","anomalies":"[]","severity":6,"bytes_in":24},{"id":9436900,"ip":"171.231.191.125","ts":"2026-06-17 00:25:46.000000","proto":"tcp","src_port":41134,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.774458986106985, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022003bd31f1971a3addeb029c17e42c929\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ecca36d81c5dfb262bf59987e0194c4aef211250\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd;!Z\ufffdox\ufffd\u0026\ufffd2\u0152\ufffd\ufffd\u0027\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 10, \u0022ssh_auth_burst_rate\u0022: 0.83}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436898,"ip":"171.231.191.125","ts":"2026-06-17 00:25:44.000000","proto":"tcp","src_port":41124,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.769009553857384, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022960e772561af2bc3edce687f4561d482\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002283a1a9350904ca3194c8956063851164af102faf\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffda\ufffd1ETi\ufffd,\ufffd\ufffd\u0229\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014a\ufffd1\\u0017ETi\ufffd\\u001b,\ufffd\ufffd\\u0010\u0229\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffda\ufffd1ETi\ufffd,\ufffd\ufffd\u0229\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.8}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436895,"ip":"171.231.191.125","ts":"2026-06-17 00:25:41.000000","proto":"tcp","src_port":44090,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.774639391027559, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220b92d810d0a2bc9fe523d0866c60e542\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002229d4ceb5eeb0f5f396cb6bb7975c3f7a6b8cd224\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd7G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd7\\u0002G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd7G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdy8v\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.86}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436887,"ip":"171.231.191.125","ts":"2026-06-17 00:25:34.000000","proto":"tcp","src_port":44074,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.771020913600246, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fa25105f19418c6d757e4b3e11cc47d0\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a88bf8c9c631a398484c568a57102833dd260eb9\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdH$i\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdH$i\\u0006\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\\u001a\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdH$i\ufffd\ufffd\u003C[\ufffdh\ufffd@\ufffdP\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.57}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436888,"ip":"171.231.191.125","ts":"2026-06-17 00:25:33.000000","proto":"tcp","src_port":44070,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.770667135500459, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022074b803432510990639b1ef562e02963\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e496231627746ab436fc4c466bcf7e6ad1908de8\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdx\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffds\ufffd\u003C\ufffd.O\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 9, \u0022ssh_auth_burst_rate\u0022: 0.69}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436878,"ip":"171.231.191.125","ts":"2026-06-17 00:25:22.000000","proto":"tcp","src_port":53308,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.776140150753486, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002207c496e83f85e67ef2e959d6ceb54f5a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002237f22ba67452ecf564edaddb0d9a6c99da57854b\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\u003E\u02a3s\ufffdF\ufffd\ufffd\ufffd\u05f3j\ufffd\u02d8\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 1.0}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436877,"ip":"171.231.191.125","ts":"2026-06-17 00:25:20.000000","proto":"tcp","src_port":41058,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.769926419732655, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b02a04dc6ee167e54b13804e57f1b066\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7ec459b345d4cb1aa0e364d7d8d3917b15e462c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdS\ufffdlY\ufffd-\u0363p\ufffdO\u0312+\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 8, \u0022ssh_auth_burst_rate\u0022: 0.57}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436875,"ip":"171.231.191.125","ts":"2026-06-17 00:25:18.000000","proto":"tcp","src_port":41052,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.781434634479851, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221feb8fdb1ac1cff490d4446a47d7f5c1\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7f83dce86ae71fc2894811fe733624d372ded04\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u001e\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffdI\ufffdR`\ufffd\ufffd\ufffdHI\ufffdG|\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 7, \u0022ssh_auth_burst_rate\u0022: 0.58}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436868,"ip":"171.231.191.125","ts":"2026-06-17 00:25:14.000000","proto":"tcp","src_port":41032,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.775915196830388, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224837473dd297f025c1719c9162df63bc\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022424656be92f3cf0c264e88cd30435ac4ca5b9ee5\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\u062a\ufffd\ufffd9\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\\u0018\u062a\ufffd\ufffd9\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffde#\u062a\ufffd\ufffd9\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.6}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436860,"ip":"171.231.191.125","ts":"2026-06-17 00:25:06.000000","proto":"tcp","src_port":37626,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.770036660743356, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bdff393a41265183039e30efdedb9593\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002205ab1a8abd501111ae29a38bf19b130414d32c00\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdG\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014G\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdG\ufffd-\ufffd\ufffdj\ufffdiD\ufffdr7\ufffdE\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 6, \u0022ssh_auth_burst_rate\u0022: 0.43}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436858,"ip":"171.231.191.125","ts":"2026-06-17 00:25:04.000000","proto":"tcp","src_port":37620,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a\u0022, \u0022emulator_response_len\u0022: 32, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.77245032583138, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228ef4e191e9aed976066724488b8f98ce\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b64d59eec027a4e472dbf4ce261a428494e8def7\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdi\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffdi\\u0014\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffdi\ufffdt\ufffd\ufffdV\ufffd\ufffd\ufffd*\ufffdD\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436853,"ip":"171.231.191.125","ts":"2026-06-17 00:24:52.000000","proto":"tcp","src_port":33204,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.779385297336887, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221aab2c304f6259500b51e0e1fb0a9b35\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b9e5401bd68fd89a0360b30fd85879cf091f4515\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\ufffd\\u000f)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffd\ufffd)\\\\\ufffdK\ufffdZ\ufffd\u003E\ufffd\ufffd\ufffdk\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 13, \u0022ssh_auth_burst_rate\u0022: 0.93}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072},{"id":9436848,"ip":"171.231.191.125","ts":"2026-06-17 00:24:44.000000","proto":"tcp","src_port":42144,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 2072, \u0022payload_entropy\u0022: 4.77568089014494, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 7552, \u0022country\u0022: \u0022VN\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 137, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022VN\u0022, \u0022asn\u0022: 7552, \u0022org\u0022: \u0022Viettel Group\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220dadedd58fb22e45ae31c304e558f9b3\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f427e0c6b930127fc1f5c1efbb6e7ac3c5ae2853\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdf\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\\u0000\\u0000\\b\ufffd\\u0006\\u0014\\u0018f\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-AsyncSSH_2.1.0\\r\\n\ufffdf\ufffd?g^[\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022ssh_auth_burst\u0022: true, \u0022ssh_auth_burst_count\u0022: 15, \u0022ssh_auth_burst_rate\u0022: 1.15}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_bruteforce\u0022, \u0022net_ssh_probe\u0022, \u0022redis_rdb_sync\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":2072}],"total_events":92}