Détails IP 172.239.64.84

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tentative d'exploit (tag rce-0) · confiance 62%

Confiance 62 % — Score WAF 72 · 3 tag(s) WAF

Comparaison ASN / FAI

ASN 63949 · 172.239.64.0/19 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 5 événements sur la période pour cette IP.

172.104.93.159 Sonde port 23/TCP 18/06/2026 08:51 UTC
139.162.113.212 Sonde port 110/TCP 18/06/2026 02:24 UTC
172.236.228.198 Tentative d'exploit 17/06/2026 22:59 UTC
172.236.239.55 Tentative d'exploit 17/06/2026 22:58 UTC
172.235.41.245 Tentative d'exploit 17/06/2026 22:56 UTC
172.236.228.245 Tentative d'exploit 17/06/2026 22:56 UTC
172.104.11.34 Tentative d'exploit 17/06/2026 22:56 UTC
172.239.71.244 Tentative d'exploit 17/06/2026 22:55 UTC

IPs apparentées

Même FAI Akamai Connected Cloud — corrélation indicative.

172.104.93.159 Sonde port 23/TCP
139.162.113.212 Sonde port 110/TCP
172.236.228.198 Tentative d'exploit
172.236.239.55 Tentative d'exploit
172.235.41.245 Tentative d'exploit

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 3 IPP TCP 2

HTTP

3

IPP

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

5 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 22:57:56 UTC	TCP	1001 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1001 · (tentative d'exploit)	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1001 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 50 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1001 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4e6a28ff9c8256fe462580c9c699ee7116fe4569", "http_host_hash": "567685340362454ad77d6faf5ae59733f707e245", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.355308808591764, "port_category": "well_known", "org": "Akamai Connected Cloud", "service": "http", "app_proto": "http", "asn": 63949, "country": "US", "dst_port": 1001, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 50, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3b832e87c719b71febc901a09a3409562813f13b", "event_fingerprint": "5d0d5ddf1f38fb54bc577b5e68dff8c46e968f41", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 50 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 63949, "org": "Akamai Connected Cloud", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fd6c9870ce5f6f9073d16f587ecf744", "payload_hash": "ba9a05f39c40d16792b982ec5cce7efd", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1001, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "80b06e5e7323b81691ecfa59d1c8cd31c828663c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 1001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:1001 \u00b7 (tentative d'exploit)", "target_port_label": "1001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 50 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1001, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 1001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1001 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1001\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "1001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true }
17/06/2026 08:34:10 UTC	TCP	93 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:93 · (tentative d'exploit)	Élevée	Moyen · 49
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 93 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 49 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:93 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:93 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4e6a28ff9c8256fe462580c9c699ee7116fe4569", "http_host_hash": "6c26082d57639b4c983bec646995a9bd84d0319f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 203, "payload_entropy": 5.377393204502194, "port_category": "well_known", "org": "Akamai Connected Cloud", "service": "http", "app_proto": "http", "asn": 63949, "country": "US", "dst_port": 93, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "10939433dda33c038f77ce7a89ece389741e20a1", "event_fingerprint": "132985976d9b841c522b4304f12eaf92c71feba6", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 63949, "org": "Akamai Connected Cloud", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fd6c9870ce5f6f9073d16f587ecf744", "payload_hash": "61b013b3263115094060ef0f4f0aec61", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 93, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c2865af3ea37d050b34cc09780755de1df2a4ee6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 93, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Ge", "attack_vector": "exploit attempt \u00b7 via HTTP:93 \u00b7 (tentative d'exploit)", "target_port_label": "93 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 93, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 93, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:93 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:93\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Ge", "target_port_label": "93 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "93" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true }
16/06/2026 06:55:06 UTC	TCP	631 · IPP	ipp	Botnet Mozi mozi pattern · via IPP:631 · (commande & contrôle)	Élevée	Moyen · 41
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur IPP WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 631 Chemin / cible — Service IPP Payload GET / HTTP/1.1 Host: 62.3.50.33:631 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like G Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Moyen · 41 Confiance : Confiance 0 % — 3 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:631 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:631 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742069707020726561647920706f72743d3633310d0a", "emulator_response_len": 33, "bytes_in": 204, "payload_entropy": 5.360672314018692, "port_category": "well_known", "org": "Akamai Connected Cloud", "service": "ipp", "app_proto": "ipp", "asn": 63949, "country": "US", "dst_port": 631, "risk_waf": 8, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 41, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a91732316081f900ef073277503d08de85823b6a", "event_fingerprint": "10494905d166d137cdbac483efb99c42ee20ff9e", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 41 }, "named_classification_skipped": false, "service_name": "ipp", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 63949, "org": "Akamai Connected Cloud", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7aca1514b858875e8613018b2f58e972", "path_pattern_hash": "762d384fab941f6d0c2239f19994f30e" }, "target_context": { "dst_port": 631, "service": "ipp", "service_name": "ipp", "risk_score": 41 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13612621da861bfcc8f2ea8df3b6a6ec52f7638f", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "port": 631, "service": "ipp", "service_label_fr": "IPP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "mozi pattern \u00b7 via IPP:631 \u00b7 (commande & contr\u00f4le)", "target_port_label": "631 \u00b7 IPP", "emulator_service": "ipp", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 41\/100 (Moyen) \u2014 MITRE TA0011 \u2014 via IPP", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 41 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 41, "risk_label": "Moyen", "service_name": "ipp", "service_label_fr": "IPP", "dst_port": 631, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ipp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "port": 631, "service": "ipp", "service_label_fr": "IPP" }, "attack_vector": "mozi pattern \u00b7 via IPP:631 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:631\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "631 \u00b7 IPP", "emulator_service": "ipp", "confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ipp", "service_banner": "honeypot-ipp", "service_os": "linux", "dst_port": "631" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }
16/06/2026 06:55:06 UTC	TCP	944 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:944 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 944 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:944 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like G Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:944 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4e6a28ff9c8256fe462580c9c699ee7116fe4569", "http_host_hash": "7e5fad50f9230666e036cf11d2747e9cd5a9df7b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 204, "payload_entropy": 5.408096686767258, "port_category": "well_known", "org": "Akamai Connected Cloud", "service": "http", "app_proto": "http", "asn": 63949, "country": "US", "dst_port": 944, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 51, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e0bd06782f42b74c88d550c8e3782b9ba4a9ae63", "event_fingerprint": "769849899b78e6d86da564912bc94c6f8ca001e1", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 63949, "org": "Akamai Connected Cloud", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fd6c9870ce5f6f9073d16f587ecf744", "payload_hash": "70f699e69740cfea81988d2cb0f3fe62", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 944, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0d9ff3fe188e0151b300b4ffc691bcb2fcbe3eaa", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 944, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "attack_vector": "exploit attempt \u00b7 via HTTP:944 \u00b7 (tentative d'exploit)", "target_port_label": "944 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 944, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.0.0 Safari\/537.36", "port": 944, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:944 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:944\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit\/537.36 (KHTML, like G", "target_port_label": "944 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "944" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "ipp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true }
16/06/2026 06:55:06 UTC	TCP	631 · IPP	ipp	Sonde PostgreSQL postgres probe · via IPP:631 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur IPP WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 631 Chemin / cible — Service IPP Payload {w��U�QQʠ�{�=��p��j5�/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w��U�QQʠ�{�=��p��j5�/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742069707020726561647920706f72743d3633310d0a", "emulator_response_len": 33, "bytes_in": 128, "payload_entropy": 4.820287002933164, "port_category": "well_known", "org": "Akamai Connected Cloud", "service": "ipp", "app_proto": "ipp", "asn": 63949, "country": "US", "dst_port": 631, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5f5bfee723539ed7c20966ca769533d6c50e2e19", "event_fingerprint": "0ff2363c0156fd28c9def3540d5e442f36179298", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "ipp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 63949, "org": "Akamai Connected Cloud", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1086fa73ccb6db2b0ee281dcd40d7aff", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 631, "service": "ipp", "service_name": "ipp", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\u0010\ufffd=\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdj5\u001f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\u0010\ufffd=\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdj5\u001f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\u0010\ufffd=\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdj5\u001f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ec050082549953d031b410c277ebac68bef0b2df", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\u0010\ufffd=\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdj5\u001f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 631, "service": "ipp", "service_label_fr": "IPP" }, "evidence_snippet": "{w\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj5\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)", "target_port_label": "631 \u00b7 IPP", "emulator_service": "ipp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "ipp", "service_label_fr": "IPP", "dst_port": 631, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-ipp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\u0010\ufffd=\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffdj5\u001f\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 631, "service": "ipp", "service_label_fr": "IPP" }, "attack_vector": "postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\ufffd\ufffdU\ufffdQQ\u02a0\ufffd{\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdj5\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "631 \u00b7 IPP", "emulator_service": "ipp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ipp", "service_banner": "honeypot-ipp", "service_os": "linux", "dst_port": "631" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "ipp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

172.239.64.84

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence