Détails IP 176.65.139.130

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « web_probe » (signaux protocolaires) · confiance 77%

Confiance 77 % — Score WAF 8

Comparaison ASN / FAI

ASN 214472 · 176.65.139.0/24 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 15 événements sur la période pour cette IP.

176.65.139.214 Sonde port 23/TCP 07/06/2026 22:11 UTC
176.65.139.103 Sonde HTTP 07/06/2026 22:06 UTC
176.65.139.11 vnc bruteforce 07/06/2026 22:05 UTC
176.65.139.31 Sonde port 07/06/2026 22:01 UTC
176.65.139.140 Agent personnel 07/06/2026 21:22 UTC
176.65.139.41 Sonde port 23/TCP 07/06/2026 21:16 UTC
176.65.139.151 Sonde port 23/TCP 07/06/2026 21:02 UTC
176.65.139.126 Sonde fichier configuration 07/06/2026 16:42 UTC

IPs apparentées

Même FAI Offshore LC — corrélation indicative.

176.65.139.214 Sonde port 23/TCP
176.65.139.103 Sonde HTTP
176.65.139.11 vnc bruteforce
176.65.139.31 Sonde port
176.65.139.140 Agent personnel

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

SSH TCP 10 HTTP TCP 5

SSH

10

HTTP

5

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

15 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 22:12:45 UTC	TCP	10007 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10007 · (sonde / probe) · → ipv4.icanhazip.com:443	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole CONNECT ipv4.icanhazip.com:443 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_no_ua Cible HTTP CONNECT ipv4.icanhazip.com:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 10007 Chemin / cible ipv4.icanhazip.com:443 Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Risque capteur Moyen · 40 Confiance : Confiance 74 % — Score WAF 8 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT ipv4.icanhazip.com:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT ipv4.icanhazip.com:443 HTTP/1.1 Host: ipv4.icanhazip.com:443 Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_target_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.61231064797493, "port_category": "registered", "org": "Offshore LC", "service": "http", "app_proto": "http", "asn": 214472, "country": "LU", "dst_port": 10007, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "33372418e2a8c40d640d9386c6daf7ced76b2efa", "event_fingerprint": "3bcb83562862ca8834f8d94a065a91766a4f083c", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "LU", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdac607dadd1a8609375214bb403cd5a", "path_pattern_hash": "fa3ded9f44946350d37f691ecd245f22" }, "service_name": "http", "target_context": { "dst_port": 10007, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "evidence": { "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%" }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.74, "classification_confidence": 0.74, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0c36d85b41a5aa7b9a222bf5cb2458c25008c4ea", "protocol_details": { "http_method": "CONNECT", "http_path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "port": 10007, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10007 \u00b7 (sonde \/ probe) \u00b7 \u2192 ipv4.icanhazip.com:443", "target_port_label": "10007 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 74, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10007, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "CONNECT", "http_path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "port": 10007, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10007 \u00b7 (sonde \/ probe) \u00b7 \u2192 ipv4.icanhazip.com:443", "evidence_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "target_port_label": "10007 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 74 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10007" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_no_ua" ] }
07/06/2026 21:51:02 UTC	TCP	8080 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:8080 · (sonde / probe) · → ipv4.icanhazip.com:443	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole CONNECT ipv4.icanhazip.com:443 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_no_ua net_web_probe Cible HTTP CONNECT ipv4.icanhazip.com:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 8080 Chemin / cible ipv4.icanhazip.com:443 Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 77% Confiance classification 77% Risque capteur Moyen · 40 Confiance : Confiance 77 % — Score WAF 8 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT ipv4.icanhazip.com:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT ipv4.icanhazip.com:443 HTTP/1.1 Host: ipv4.icanhazip.com:443 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_target_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.61231064797493, "port_category": "registered", "org": "Offshore LC", "service": "http", "app_proto": "http", "asn": 214472, "country": "LU", "dst_port": 8080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 40, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d02da780fa50601181fd57cb8351d8fd4c9532b2", "event_fingerprint": "cd1dbbd2a262e8b1a68fe7ac28de0cc1917f52fa", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "LU", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdac607dadd1a8609375214bb403cd5a", "path_pattern_hash": "fa3ded9f44946350d37f691ecd245f22" }, "service_name": "http", "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "evidence": { "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%" }, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "confidence": 0.77, "classification_confidence": 0.77, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db68090420bdd948e43374823e810d8d51c88ba5", "protocol_details": { "http_method": "CONNECT", "http_path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 ipv4.icanhazip.com:443", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 77 % \u2014 Score WAF 8", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 77, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "CONNECT", "http_path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe) \u00b7 \u2192 ipv4.icanhazip.com:443", "evidence_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 77 % \u2014 Score WAF 8", "confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_no_ua", "net_web_probe" ] }
07/06/2026 12:05:37 UTC	TCP	5321 · SSH	ssh	Sonde SSH	Élevée	Moyen · 48
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1046 TA0007 TA0001 WAF — Recommandation Surveiller Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5321 Chemin / cible — Pourquoi cette classification : Bannière client SSH reçue · confiance 95% Confiance classification 95% Risque capteur Moyen · 48 Signaux pat-0391 Upstream Technique MITRE T1046 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go Meta JSON brut { "bytes_in": 12, "payload_entropy": 3.2516291673878226, "port_category": "registered", "org": "Offshore LC", "service": "ssh", "app_proto": "ssh", "asn": 214472, "country": "LU", "dst_port": 5321, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0 }, "risk_score": 48, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5f95f5f880746694aca6c77f637f2a7bedc72f81", "event_fingerprint": "f01dc7e5c4724befd507f129f059ea4d1f4763cf", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253" ], "pattern_ids": [ "pat-0391" ], "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "ssh", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "LU", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 5321, "service": "ssh", "service_name": "ssh", "risk_score": 48 }, "payload_preview": "SSH-2.0-Go\r\n", "request_sample": "SSH-2.0-Go\r\n", "payload_snippet": "SSH-2.0-Go", "evidence": { "request_sample": "SSH-2.0-Go\r\n", "payload_snippet": "SSH-2.0-Go", "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00616398201b73d84f756f43ac5b2fa2b5f86102", "site_display": { "classification": null, "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 0, "risk_score": 48 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 48, "risk_label": "Moyen", "service_name": "ssh", "service_label_fr": "SSH", "dst_port": 5321, "protocol_emulated": null, "tags_summary": [ "pat-0391", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0391", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "OpenSSH_8.9p1 Ubuntu", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "ssh", "service_banner": "OpenSSH_8.9p1 Ubuntu", "service_os": "linux", "dst_port": "5321" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "ssh_banner" ] }
05/06/2026 22:04:09 UTC	TCP	22	ssh	Sonde SSH	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_ssh_probe ssh_banner ssh_emulated ssh_kex_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Pourquoi cette classification : Type « ssh_probe » (signaux protocolaires) · confiance 74% Confiance classification 74% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SSH-2.0 banner RFC4253 Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go �,�vU�634�!& ��mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec Requête brute (extrait) SSH-2.0-Go �,�vU�634�!& ��mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-inf Meta JSON brut { "protocol_emulated": true, "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a", "emulator_response_len": 41, "bytes_in": 1180, "payload_entropy": 4.851914985912114, "port_category": "well_known", "org": "Offshore LC", "service": "ssh", "app_proto": "ssh", "asn": 214472, "country": "DE", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 36, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 36, "novelty": 25 }, "risk_score": 22, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9a91c35ff8553fc24795f9eaf93692ffdae1839c", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "classification_reason": "Type \u00ab ssh_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence": 0.74, "classification_confidence": 0.74, "precision_score": 83, "precision_signals": [ "pat-0391", "INT-upstream" ], "kb_rule_ids": [ "pat-0391", "INT-upstream" ], "matched_patterns": [ "pat-0391", "pat-0554" ], "matched_pattern_names": [ "SSH-2.0 banner RFC4253", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0391", "pat-0554" ], "risk_confidence_factor": 74, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0ef411a69bb365edbf4cf3bdbe472612", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh" }, "payload_preview": "SSH-2.0-Go\r\n\u0000\u0000\u0004\ufffd\u0012\u0014,\ufffdvU\u0006\ufffd634\ufffd!&\u00a0\ufffd\u0000\u0000\u0000\ufffdmlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec", "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0004\ufffd\u0012\u0014,\ufffdvU\u0006\ufffd634\ufffd!&\u00a0\ufffd\u0000\u0000\u0000\ufffdmlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-inf", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0004\ufffd\u0012\u0014,\ufffdvU\u0006\ufffd634\ufffd!&\u00a0\ufffd\u0000\u0000\u0000\ufffdmlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec", "evidence": { "request_sample": "SSH-2.0-Go\r\n\u0000\u0000\u0004\ufffd\u0012\u0014,\ufffdvU\u0006\ufffd634\ufffd!&\u00a0\ufffd\u0000\u0000\u0000\ufffdmlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-inf", "payload_snippet": "SSH-2.0-Go\r\n\u0000\u0000\u0004\ufffd\u0012\u0014,\ufffdvU\u0006\ufffd634\ufffd!&\u00a0\ufffd\u0000\u0000\u0000\ufffdmlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec", "classification_reason": "Type \u00ab ssh_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "22c70a2c54865b98f1fa384c2daa39d2cab06968", "ban_policy": "advisory_monitor", "tags_list": [ "net_ssh_probe", "ssh_banner", "ssh_emulated", "ssh_kex_probe", "ssh_libssh" ] }
05/06/2026 18:02:33 UTC	TCP	10030	http	Sonde HTTP	Élevée	Faible · 15
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_no_ua Cible HTTP CONNECT ipv4.icanhazip.com:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 10030 Chemin / cible ipv4.icanhazip.com:443 Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT ipv4.icanhazip.com:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT ipv4.icanhazip.com:443 HTTP/1.1 Host: ipv4.icanhazip.com:443 Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_target_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.61231064797493, "port_category": "registered", "org": "Offshore LC", "service": "http", "app_proto": "http", "asn": 214472, "country": "DE", "dst_port": 10030, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 15, "tag_count": 3, "anomaly_count": 0, "campaign_key": "dd27afb71c2d313c10f129bc1a58fc897c001cb7", "event_fingerprint": "b66afbc14e7924ea23baf4d95a3e694a783c4ca6", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdac607dadd1a8609375214bb403cd5a", "path_pattern_hash": "fa3ded9f44946350d37f691ecd245f22" }, "target_context": { "dst_port": 10030, "service": "http" }, "payload_preview": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "evidence": { "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ddfb1071b81bd8e4264c9d006a694264b707ed0", "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_no_ua" ] }
05/06/2026 17:54:26 UTC	TCP	10053	http	Sonde HTTP	Élevée	Faible · 14
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_no_ua Cible HTTP CONNECT ipv4.icanhazip.com:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 10053 Chemin / cible ipv4.icanhazip.com:443 Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT ipv4.icanhazip.com:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT ipv4.icanhazip.com:443 HTTP/1.1 Host: ipv4.icanhazip.com:443 Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_target_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.61231064797493, "port_category": "registered", "org": "Offshore LC", "service": "http", "app_proto": "http", "asn": 214472, "country": "DE", "dst_port": 10053, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 14, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5c7bb22862456f842b6ecae5ec3a301f4e66bb7b", "event_fingerprint": "0ca9104dbfc6d57b9172ea0b195b4963a33ba2a2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdac607dadd1a8609375214bb403cd5a", "path_pattern_hash": "fa3ded9f44946350d37f691ecd245f22" }, "target_context": { "dst_port": 10053, "service": "http" }, "payload_preview": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "evidence": { "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6ae33b26c573773ad7fdbe9ba2a20d52c4ff5062", "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_no_ua" ] }
05/06/2026 17:26:19 UTC	TCP	10008	http	Sonde HTTP	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_dangerous_method http_method_uncommon http_no_ua Cible HTTP CONNECT ipv4.icanhazip.com:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 10008 Chemin / cible ipv4.icanhazip.com:443 Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `CONNECT ipv4.icanhazip.com:443 HTTP/1.1` User-Agent — Règles WAF — Payload (extrait) CONNECT ipv4.icanhazip.com:443 HTTP/1.1 Host: ipv4.icanhazip.com:443 Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_target_hash": "451c817b16d7ce3ef132511d0ab95b7ee066f511", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.61231064797493, "port_category": "registered", "org": "Offshore LC", "service": "http", "app_proto": "http", "asn": 214472, "country": "DE", "dst_port": 10008, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 16, "tag_count": 3, "anomaly_count": 0, "campaign_key": "7ea5ed2d6ba32346271a9a764a65ee1edf16a5df", "event_fingerprint": "0676c74982c700a44a4f111ccec3ef10ca5ec0a7", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bdac607dadd1a8609375214bb403cd5a", "path_pattern_hash": "fa3ded9f44946350d37f691ecd245f22" }, "target_context": { "dst_port": 10008, "service": "http" }, "payload_preview": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "evidence": { "method": "CONNECT", "path": "ipv4.icanhazip.com:443", "request_line": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1", "request_sample": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443\r\n\r\n", "payload_snippet": "CONNECT ipv4.icanhazip.com:443 HTTP\/1.1\r\nHost: ipv4.icanhazip.com:443", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5dd3ea4538071d12f1d1c671176d82629116b85a", "ban_policy": "advisory_monitor", "tags_list": [ "http_dangerous_method", "http_method_uncommon", "http_no_ua" ] }
04/06/2026 19:05:19 UTC	TCP	22	ssh	Sonde SSH	Élevée	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Confiance classification 68% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go Meta JSON brut { "bytes_in": 12, "payload_entropy": 3.2516291673878226, "port_category": "well_known", "org": "Offshore LC", "service": "ssh", "app_proto": "ssh", "asn": 214472, "country": "DE", "dst_port": 22, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 18, "tag_count": 1, "anomaly_count": 0, "campaign_key": "4a67c8cb1e29b5e39a79acd012734536b5a2b497", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.68, "classification_confidence": 0.68, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "SSH-2.0-Go\r\n", "event_signature": "29dce0ae62a9dedef1d645cb23bf1019e232b5d0", "ban_policy": "advisory_monitor", "tags_list": [ "ssh_banner" ] }
04/06/2026 14:08:02 UTC	TCP	22	ssh	Sonde SSH	Élevée	Faible · 14
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 22 Chemin / cible — Confiance classification 68% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) SSH-2.0-Go Meta JSON brut { "bytes_in": 12, "payload_entropy": 3.2516291673878226, "port_category": "well_known", "org": "Offshore LC", "service": "ssh", "app_proto": "ssh", "asn": 214472, "country": "DE", "dst_port": 22, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 14, "tag_count": 1, "anomaly_count": 0, "campaign_key": "4a67c8cb1e29b5e39a79acd012734536b5a2b497", "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "DE", "asn": 214472, "org": "Offshore LC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9e55307b9c6c1bf5bae2abdb628281d", "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca" }, "target_context": { "dst_port": 22, "service": "ssh" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.68, "classification_confidence": 0.68, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "SSH-2.0-Go\r\n", "event_signature": "29dce0ae62a9dedef1d645cb23bf1019e232b5d0", "ban_policy": "advisory_monitor", "tags_list": [ "ssh_banner" ] }
01/06/2026 20:59:57 UTC	TCP	22	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 18:23:46 UTC	TCP	22	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 17:59:43 UTC	TCP	22	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 15:01:02 UTC	TCP	22	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 18:34:15 UTC	TCP	22	ssh	Sonde SSH	Élevée	Élevé · 74
Étape — WAF — Recommandation — Tags ssh_banner Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 13:56:26 UTC	TCP	22	ssh	ssh attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1

Réputation

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

176.65.139.130

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence