Détails IP 18.117.74.144

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 16509 · 18.116.0.0/14 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 19 événements sur la période pour cette IP.

65.1.138.190 Sonde RDP 18/06/2026 19:24 UTC
18.218.97.223 Sonde PostgreSQL 18/06/2026 19:24 UTC
3.130.168.2 Sonde PostgreSQL 18/06/2026 19:06 UTC
3.22.57.96 Sonde PPTP 18/06/2026 18:57 UTC
3.87.27.156 minecraft probe 18/06/2026 18:56 UTC
3.129.187.38 Sonde PostgreSQL 18/06/2026 18:55 UTC
16.58.56.214 Tentative d'exploit 18/06/2026 18:42 UTC
18.116.101.220 Sonde PostgreSQL 18/06/2026 18:26 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

65.1.138.190 Sonde RDP
18.218.97.223 Sonde PostgreSQL
3.130.168.2 Sonde PostgreSQL
3.22.57.96 Sonde PPTP
3.87.27.156 minecraft probe

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

RTCP TCP 2 GAME UNREAL TCP 2 TLS TCP 2 HTTP TCP 2 UPNP TCP TCP 2 AWS ECS AGENT TCP 2 JETDIRECT TCP 2 COUCHBASE TCP 2 HTTP ALT 8040 TCP 1 ORACLE EM TCP 1 DNS TCP 1

RTCP

2

GAME UNREAL

2

TLS

2

HTTP

2

UPNP TCP

2

AWS ECS AGENT

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

19 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 02:09:32 UTC	TCP	8566 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8566 · (sonde / probe)	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 60828da5b42313d1 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8566 Chemin / cible — Service TLS Payload �� w� J��7��R� ��%�b�/ŀ��Q ��b �M� �YV �H�pY�ch7��W�4�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� w� J��7��R��%�b�/ŀ��Q ��b �M��YV�H�pY�ch7��W�4�+�/�,�0̨̩� �� q� Requête brute (extrait) �� w� J��7��R� ��%�b�/ŀ��Q ��b �M� �YV �H�pY�ch7��W�4�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��s�P Meta JSON brut { "tls_ja3_hash": "60828da5b42313d165aae2938e651b72", "tls_sni": null, "tls_alpn": [ "h2", "http\/1.1" ], "bytes_in": 1501, "payload_entropy": 7.728917645713793, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8566, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "dc2932589695f9e3db218065b88dc9e5499671e7", "event_fingerprint": "33f8ce5baeedd50a3c8448310b6fae3bf2d432e9", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "60828da5b42313d165aae2938e651b72", "payload_hash": "5e51c60765116250495fddbf77042a23", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8566, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\u0007\ufffds\ufffdP", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d0d7350458ea89eac9f5f5e7d9673eb03d2c9e5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "60828da5b42313d165aae2938e651b72", "port": 8566, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8566 \u00b7 (sonde \/ probe)", "target_port_label": "8566 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8566, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\u0001\ufffd\ufffdR\u0016\ufffd\u0003\f\ufffd\ufffd%\ufffdb\ufffd\/\u0140\u0006\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\u000b\ufffdYV\u000b\ufffdH\ufffdpY\ufffdch7\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "60828da5b42313d165aae2938e651b72", "port": 8566, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8566 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\r\ufffdw\ufffd\rJ\ufffd\ufffd7\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd%\ufffdb\ufffd\/\u0140\ufffd\ufffdQ \ufffd\ufffdb\n\ufffdM\ufffd\ufffdYV\ufffdH\ufffdpY\ufffdch7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd4\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "8566 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8566" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni" ], "asn_dc_heuristic": true }
18/06/2026 01:57:09 UTC	TCP	9100 · JETDIRECT	jetdirect	Sonde PostgreSQL postgres probe · via JETDIRECT:9100 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur JETDIRECT WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9100 Chemin / cible — Service JETDIRECT Payload ��YNE�O�=�M�7��/+��ᛃ�g��>CcG^ $O��!�J��l�7��M��>�+��@nv�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��YNE�O�=�M�7��/+��ᛃ�g��>CcG^ $O��!�J��l�7��M��>�+��@nv�+�/�,�0̨̩� �� q� Requête brute (extrait) ��YNE�O�=�M�7��/+��ᛃ�g��>CcG^ $O��!�J��l�7��M��>�+��@nv�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��s�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a", "emulator_response_len": 40, "bytes_in": 1501, "payload_entropy": 7.751075690685349, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "jetdirect", "app_proto": "jetdirect", "asn": 16509, "country": "US", "dst_port": 9100, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "f1e3f6c4032e00ba676fd80a6ca9708e04a4c2a8", "event_fingerprint": "eb0afc337169eaa4b8e375f85f6d9c688c816a7c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "jetdirect", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "61d2af97233e0814fa01106172b10403", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 9100, "service": "jetdirect", "service_name": "jetdirect", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\u0016\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd\u0003\b\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\u001e\u0002\ufffd@n\u0006v\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\u0016\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd\u0003\b\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\u001e\u0002\ufffd@n\u0006v\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0012\bs\ufffd\u001a\u001d\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\u0016\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd\u0003\b\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\u001e\u0002\ufffd@n\u0006v\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2ef7ba033f2affbc964862d0d6b559d37386e032", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\u0016\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd\u0003\b\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\u001e\u0002\ufffd@n\u0006v\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "evidence_snippet": "\ufffd\ufffdYNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\ufffd@nv\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "jetdirect", "service_label_fr": "JETDIRECT", "dst_port": 9100, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-jetdirect", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003YNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\u0016\u0013\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd\u0003\b\u0004!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\u001e\u0002\ufffd@n\u0006v\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "attack_vector": "postgres probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdYNE\ufffdO\ufffd=\ufffdM\ufffd7\ufffd\ufffd\/+\ufffd\ufffd\u16c3\ufffdg\ufffd\ufffd>CcG^ $O\ufffd\ufffd!\ufffdJ\ufffd\ufffdl\ufffd7\ufffd\ufffd\ufffdM\ufffd\ufffd>\ufffd+\ufffd\ufffd@nv\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "jetdirect", "service_banner": "honeypot-jetdirect", "service_os": "linux", "dst_port": "9100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 01:57:09 UTC	TCP	9100 · JETDIRECT	jetdirect	Sonde HTTP Sonde HTTP · via JETDIRECT:9100 · (sonde / probe)	Élevée	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur JETDIRECT WAF — Recommandation Surveiller Tags mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9100 Chemin / cible — Service JETDIRECT Payload HEAD / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a", "emulator_response_len": 40, "bytes_in": 93, "payload_entropy": 5.146437913552422, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "jetdirect", "app_proto": "jetdirect", "asn": 16509, "country": "US", "dst_port": 9100, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 44, "tag_count": 2, "anomaly_count": 0, "campaign_key": "32174349c3b7d998f1df265fe592970b10f32a51", "event_fingerprint": "4eb4d5d58ec22bdf2146f812070ea6ca88d25a86", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "jetdirect", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8cb18c1f27bb01eaa11e35ffe55cd7d1", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 9100, "service": "jetdirect", "service_name": "jetdirect", "risk_score": 44 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ad7818904e59304837ead3a5d03623f5a9888e17", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": "jetdirect", "service_label_fr": "JETDIRECT", "dst_port": 9100, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-jetdirect", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "attack_vector": "Sonde HTTP \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "jetdirect", "service_banner": "honeypot-jetdirect", "service_os": "linux", "dst_port": "9100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }
18/06/2026 01:32:04 UTC	TCP	5001 · UPNP TCP	upnp-tcp	Sonde PostgreSQL postgres probe · via UPNP TCP:5001 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur UPNP-TCP WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5001 Chemin / cible — Service UPNP TCP Payload ��,��ܕ�>x<��r~=�4�ʚC�;�� r $�(�К�~��&�jJ�]3�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��,��ܕ�>x<��r~=�4�ʚC�;�� r $�(�К�~��&�jJ�]3�+�/�,�0̨̩� �� q� Requête brute (extrait) ��,��ܕ�>x<��r~=�4�ʚC�;�� r $�(�К�~��&�jJ�]3�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��t��摃 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a", "emulator_response_len": 39, "bytes_in": 1501, "payload_entropy": 7.687659702890091, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "upnp-tcp", "app_proto": "upnp-tcp", "asn": 16509, "country": "US", "dst_port": 5001, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "436278379f11f507398419d513ec805702ed650d", "event_fingerprint": "a80d71c7dcef6b8541bd0810036e78213dbbe720", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "upnp-tcp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d13a01385fcabeed7a5b79284fb88c63", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 5001, "service": "upnp-tcp", "service_name": "upnp-tcp", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003,\ufffd\ufffd\ufffd\u0715\ufffd>x\u0004<\ufffd\ufffd\ufffdr~\u0000\u0003=\ufffd4\ufffd\u0003\u029aC\ufffd;\ufffd\ufffd \u001b\u0010\ufffd\ufffd\ufffd\ufffdr\t\u0013$\ufffd\u0001(\ufffd\u041a\ufffd~\ufffd\u0015\ufffd\ufffd\ufffd&\u0010\u001d\ufffdjJ\ufffd]3\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003,\ufffd\ufffd\ufffd\u0715\ufffd>x\u0004<\ufffd\ufffd\ufffdr~\u0000\u0003=\ufffd4\ufffd\u0003\u029aC\ufffd;\ufffd\ufffd \u001b\u0010\ufffd\ufffd\ufffd\ufffdr\t\u0013$\ufffd\u0001(\ufffd\u041a\ufffd~\ufffd\u0015\ufffd\ufffd\ufffd&\u0010\u001d\ufffdjJ\ufffd]3\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0005t\ufffd\ufffd\u6443", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003,\ufffd\ufffd\ufffd\u0715\ufffd>x\u0004<\ufffd\ufffd\ufffdr~\u0000\u0003=\ufffd4\ufffd\u0003\u029aC\ufffd;\ufffd\ufffd \u001b\u0010\ufffd\ufffd\ufffd\ufffdr\t\u0013$\ufffd\u0001(\ufffd\u041a\ufffd~\ufffd\u0015\ufffd\ufffd\ufffd&\u0010\u001d\ufffdjJ\ufffd]3\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3a15163614e31d58b6c2019a3b36ce8250fd7b9", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003,\ufffd\ufffd\ufffd\u0715\ufffd>x\u0004<\ufffd\ufffd\ufffdr~\u0000\u0003=\ufffd4\ufffd\u0003\u029aC\ufffd;\ufffd\ufffd \u001b\u0010\ufffd\ufffd\ufffd\ufffdr\t\u0013$\ufffd\u0001(\ufffd\u041a\ufffd~\ufffd\u0015\ufffd\ufffd\ufffd&\u0010\u001d\ufffdjJ\ufffd]3\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 5001, "service": "upnp-tcp", "service_label_fr": "UPNP TCP" }, "evidence_snippet": "\ufffd\ufffd,\ufffd\ufffd\ufffd\u0715\ufffd>x<\ufffd\ufffd\ufffdr~=\ufffd4\ufffd\u029aC\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffdr\t$\ufffd(\ufffd\u041a\ufffd~\ufffd\ufffd\ufffd\ufffd&\ufffdjJ\ufffd]3\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)", "target_port_label": "5001 \u00b7 UPNP TCP", "emulator_service": "upnp-tcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "upnp-tcp", "service_label_fr": "UPNP TCP", "dst_port": 5001, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-upnp-tcp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003,\ufffd\ufffd\ufffd\u0715\ufffd>x\u0004<\ufffd\ufffd\ufffdr~\u0000\u0003=\ufffd4\ufffd\u0003\u029aC\ufffd;\ufffd\ufffd \u001b\u0010\ufffd\ufffd\ufffd\ufffdr\t\u0013$\ufffd\u0001(\ufffd\u041a\ufffd~\ufffd\u0015\ufffd\ufffd\ufffd&\u0010\u001d\ufffdjJ\ufffd]3\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 5001, "service": "upnp-tcp", "service_label_fr": "UPNP TCP" }, "attack_vector": "postgres probe \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd,\ufffd\ufffd\ufffd\u0715\ufffd>x<\ufffd\ufffd\ufffdr~=\ufffd4\ufffd\u029aC\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffdr\t$\ufffd(\ufffd\u041a\ufffd~\ufffd\ufffd\ufffd\ufffd&\ufffdjJ\ufffd]3\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "5001 \u00b7 UPNP TCP", "emulator_service": "upnp-tcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "upnp_tcp", "service_banner": "honeypot-upnp-tcp", "service_os": "linux", "dst_port": "5001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 01:32:04 UTC	TCP	5001 · UPNP TCP	upnp-tcp	Sonde HTTP Sonde HTTP · via UPNP TCP:5001 · (sonde / probe)	Élevée	Moyen · 43
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur UPNP-TCP WAF — Recommandation Surveiller Tags mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5001 Chemin / cible — Service UPNP TCP Payload HEAD / HTTP/1.1 Host: 62.3.50.33:5001 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 43 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:5001 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742075706e705f74637020726561647920706f72743d353030310d0a", "emulator_response_len": 39, "bytes_in": 93, "payload_entropy": 5.1168154672926, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "upnp-tcp", "app_proto": "upnp-tcp", "asn": 16509, "country": "US", "dst_port": 5001, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 43, "tag_count": 2, "anomaly_count": 0, "campaign_key": "074b6b31ed3a8c5490682064a956f96ee16a85d5", "event_fingerprint": "c4fbc45603d24d7eb870e14692e418def7cee731", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "upnp-tcp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ed8d95df63994ed2e2036f05f01f42a3", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 5001, "service": "upnp-tcp", "service_name": "upnp-tcp", "risk_score": 43 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1690352740fe2edb421ee75be818d194d626cdb", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 5001, "service": "upnp-tcp", "service_label_fr": "UPNP TCP" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)", "target_port_label": "5001 \u00b7 UPNP TCP", "emulator_service": "upnp-tcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 43\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 43 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 43, "risk_label": "Moyen", "service_name": "upnp-tcp", "service_label_fr": "UPNP TCP", "dst_port": 5001, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-upnp-tcp", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 5001, "service": "upnp-tcp", "service_label_fr": "UPNP TCP" }, "attack_vector": "Sonde HTTP \u00b7 via UPNP TCP:5001 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5001\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "5001 \u00b7 UPNP TCP", "emulator_service": "upnp-tcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "upnp_tcp", "service_banner": "honeypot-upnp-tcp", "service_os": "linux", "dst_port": "5001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }
18/06/2026 01:20:44 UTC	TCP	4567 · AWS ECS AGENT	aws-ecs-agent	Sonde HTTP Sonde HTTP · via AWS ECS AGENT:4567 · (sonde / probe)	Élevée	Moyen · 43
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur AWS-ECS-AGENT WAF — Recommandation Surveiller Tags aws_ecs_agent_emulated aws_ecs_agent_payload mozi_pattern net_cloud_scanner Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4567 Chemin / cible — Service AWS ECS AGENT Payload HEAD / HTTP/1.1 Host: 62.3.50.33:4567 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 43 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:4567 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a", "emulator_response_len": 44, "bytes_in": 93, "payload_entropy": 5.198639558415576, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "aws-ecs-agent", "app_proto": "aws-ecs-agent", "asn": 16509, "country": "US", "dst_port": 4567, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d71cb6aaf7995d19c1092f80f2672a5d98f49cd0", "event_fingerprint": "ed5db39ce4a1ce0fda50382d1438797185e5f337", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "aws-ecs-agent", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "28bd4bee4fbe766fe0a69f7eec99a817", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 4567, "service": "aws-ecs-agent", "service_name": "aws-ecs-agent", "risk_score": 43 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "52f5b9931f3eeac6785ff14ee7249269edf05f6a", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 43\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 43, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 43, "risk_label": "Moyen", "service_name": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT", "dst_port": 4567, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-aws-ecs-agent", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "attack_vector": "Sonde HTTP \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:4567\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "aws_ecs_agent", "service_banner": "honeypot-aws-ecs-agent", "service_os": "linux", "dst_port": "4567" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "aws-ecs-agent", "game-unreal" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "aws_ecs_agent_emulated", "aws_ecs_agent_payload", "mozi_pattern", "net_cloud_scanner" ], "asn_dc_heuristic": true }
18/06/2026 01:20:43 UTC	TCP	4567 · AWS ECS AGENT	aws-ecs-agent	Sonde PostgreSQL postgres probe · via AWS ECS AGENT:4567 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur AWS-ECS-AGENT WAF — Recommandation Surveiller Tags aws_ecs_agent_emulated aws_ecs_agent_payload net_cloud_scanner tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4567 Chemin / cible — Service AWS ECS AGENT Payload ��h��7�Pt��g�Hԥ�`��j�O��r\[b �QV=�I�6�l�7=�� ;�c_��T�3f�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��h��7�Pt��g�Hԥ�`��j�O��r\[b �QV=�I�6�l�7=�� ;�c_��T�3f�+�/�,�0̨̩� �� q� Requête brute (extrait) ��h��7�Pt��g�Hԥ�`��j�O��r\[b �QV=�I�6�l�7=�� ;�c_��T�3f�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��M;(H( � Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a", "emulator_response_len": 44, "bytes_in": 1501, "payload_entropy": 7.699803498119824, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "aws-ecs-agent", "app_proto": "aws-ecs-agent", "asn": 16509, "country": "US", "dst_port": 4567, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "647c00d5d24c857ac83fe9bc2d3b005a0e4c7e82", "event_fingerprint": "ed5db39ce4a1ce0fda50382d1438797185e5f337", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "aws-ecs-agent", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1ab0f9bb8ecede05c8d88f0759048633", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 4567, "service": "aws-ecs-agent", "service_name": "aws-ecs-agent", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\u0018\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\u0017\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd\u00043f\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\u0018\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\u0017\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd\u00043f\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdM;(H(\u000b\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\u0018\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\u0017\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd\u00043f\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75cb2f6e5e0816d41aba77cbd5ab3171768bace6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\u0018\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\u0017\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd\u00043f\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "evidence_snippet": "\ufffd\ufffd\ufffdh\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd3f\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT", "dst_port": 4567, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-aws-ecs-agent", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\u0018\u0015h\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \u000b\ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\u0017\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd\u00043f\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "attack_vector": "postgres probe \u00b7 via AWS ECS AGENT:4567 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdh\ufffd\ufffd7\ufffdPt\ufffd\ufffd\ufffdg\ufffdH\u0525\ufffd`\ufffd\ufffdj\ufffdO\ufffd\ufffdr\\[b \ufffdQV=\ufffdI\ufffd6\ufffdl\ufffd7=\ufffd\ufffd\ufffd\t;\ufffdc_\ufffd\ufffdT\ufffd3f\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "aws_ecs_agent", "service_banner": "honeypot-aws-ecs-agent", "service_os": "linux", "dst_port": "4567" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "aws-ecs-agent", "game-unreal" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "aws_ecs_agent_emulated", "aws_ecs_agent_payload", "net_cloud_scanner", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 01:17:45 UTC	TCP	7777 · GAME UNREAL	game-unreal	Sonde PostgreSQL postgres probe · via GAME UNREAL:7777 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur GAME-UNREAL WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Service GAME UNREAL Payload ��N6 'h�&��2�;b%Gq)X��Z'n��]C(� x��m�:�2��@[hIF��:��45��#�D��+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��N6 'h�&��2�;b%Gq)X��Z'n��]C(� x��m�:�2��@[hIF��:��45��#�D��+�/�,�0̨̩� �� q� Requête brute (extrait) ��N6 'h�&��2�;b%Gq)X��Z'n��]C(� x��m�:�2��@[hIF��:��45��#�D��+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��8�o Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 1501, "payload_entropy": 7.730221061904469, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "game-unreal", "app_proto": "game-unreal", "asn": 16509, "country": "US", "dst_port": 7777, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a80e1e975d546d6c38d71e2f91a00a66c01630bc", "event_fingerprint": "a35789f75452d6a73be983d5f266e3a77d710b7e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "game-unreal", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c83842cf0d03dcf8d82c65b1c1929e75", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 7777, "service": "game-unreal", "service_name": "game-unreal", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0011N6\t'h\ufffd\u001c&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0011N6\t'h\ufffd\u001c&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\u0010\u00178\ufffdo", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0011N6\t'h\ufffd\u001c&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb535b3ebb5ccce3a211dd69b2dd76e639c47e2c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0011N6\t'h\ufffd\u001c&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "evidence_snippet": "\ufffd\ufffdN6\t'h\ufffd&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "game-unreal", "service_label_fr": "GAME UNREAL", "dst_port": 7777, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-game-unreal", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u0011N6\t'h\ufffd\u001c&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "attack_vector": "postgres probe \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdN6\t'h\ufffd&\ufffd\ufffd2\ufffd;b%Gq)X\ufffd\ufffdZ'n\ufffd\ufffd]C(\ufffd x\ufffd\ufffdm\ufffd:\ufffd2\ufffd\ufffd@[hIF\ufffd\ufffd:\ufffd\ufffd\ufffd45\ufffd\ufffd\ufffd\ufffd#\ufffdD\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "game_unreal", "service_banner": "honeypot-game-unreal", "service_os": "linux", "dst_port": "7777" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 01:17:45 UTC	TCP	7777 · GAME UNREAL	game-unreal	Sonde HTTP Sonde HTTP · via GAME UNREAL:7777 · (sonde / probe)	Élevée	Moyen · 46
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur GAME-UNREAL WAF — Recommandation Surveiller Tags mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Service GAME UNREAL Payload HEAD / HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Moyen · 46 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 93, "payload_entropy": 5.16374587564314, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "game-unreal", "app_proto": "game-unreal", "asn": 16509, "country": "US", "dst_port": 7777, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 46, "tag_count": 2, "anomaly_count": 0, "campaign_key": "86e08fd16a2f2fc5dde0a89b7566a19d99b433f2", "event_fingerprint": "9273f783c1dae2e568012c7a37ad4352fef5fca5", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "game-unreal", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "861cb19f9d9b9b6c0f602ae4d33d1e04", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 7777, "service": "game-unreal", "service_name": "game-unreal", "risk_score": 46 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a910673b2225feb8f660fb9fb4d062c879b2a829", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 46\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 46 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 46, "risk_label": "Moyen", "service_name": "game-unreal", "service_label_fr": "GAME UNREAL", "dst_port": 7777, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-game-unreal", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "attack_vector": "Sonde HTTP \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "game_unreal", "service_banner": "honeypot-game-unreal", "service_os": "linux", "dst_port": "7777" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }
18/06/2026 01:11:04 UTC	TCP	8091 · COUCHBASE	couchbase	Sonde PostgreSQL postgres probe · via COUCHBASE:8091 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur COUCHBASE WAF — Recommandation Surveiller Tags couchbase_emulated couchbase_payload net_couchbase_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Service COUCHBASE Payload ��S[m�͔��\|��T��n��z� �O��C��p�&kvY ��X��/� � V�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��S[m�͔��\|��T��n��z� �O��C��p�&kvY ��X��/��V�+�/�,�0̨̩� �� q� Requête brute (extrait) ��S[m�͔��\|��T��n��z� �O��C��p�&kvY ��X��/� � V�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��d�t�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a", "emulator_response_len": 40, "bytes_in": 1501, "payload_entropy": 7.723847946816689, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "couchbase", "app_proto": "couchbase", "asn": 16509, "country": "US", "dst_port": 8091, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "54b305efd9f6c87fdc9ee5b9ecb530cc38f1805f", "event_fingerprint": "9e9deeb6547e6521ff916066811968748b0cf23e", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "couchbase", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ba1a9c9a132f0af8fea36e01783a3722", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8091, "service": "couchbase", "service_name": "couchbase", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S[m\ufffd\u0354\u0015\ufffd\ufffd\b\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\u000e\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\u001a\ufffdC\ufffd\ufffdp\ufffd&kv\u0007\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\u001b\f\ufffd\u000bV\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S[m\ufffd\u0354\u0015\ufffd\ufffd\b\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\u000e\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\u001a\ufffdC\ufffd\ufffdp\ufffd&kv\u0007\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\u001b\f\ufffd\u000bV\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdd\ufffdt\ufffd\u0015\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S[m\ufffd\u0354\u0015\ufffd\ufffd\b\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\u000e\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\u001a\ufffdC\ufffd\ufffdp\ufffd&kv\u0007\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\u001b\f\ufffd\u000bV\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bc250d3e3428274059f83c7297c28c1c6b29aaf8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S[m\ufffd\u0354\u0015\ufffd\ufffd\b\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\u000e\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\u001a\ufffdC\ufffd\ufffdp\ufffd&kv\u0007\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\u001b\f\ufffd\u000bV\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "evidence_snippet": "\ufffd\ufffdS[m\ufffd\u0354\ufffd\ufffd\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\ufffdC\ufffd\ufffdp\ufffd&kvY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdV\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "couchbase", "service_label_fr": "COUCHBASE", "dst_port": 8091, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-couchbase", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003S[m\ufffd\u0354\u0015\ufffd\ufffd\b\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\u000e\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\u001a\ufffdC\ufffd\ufffdp\ufffd&kv\u0007\u000eY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\u001b\f\ufffd\u000bV\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "attack_vector": "postgres probe \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdS[m\ufffd\u0354\ufffd\ufffd\ufffd\|\ufffd\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffdz\ufffd\r \ufffdO\ufffd\ufffdC\ufffd\ufffdp\ufffd&kvY \ufffd\ufffdX\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdV\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "couchbase", "service_banner": "honeypot-couchbase", "service_os": "linux", "dst_port": "8091" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "couchbase", "http", "http-alt-8040", "rtcp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "couchbase_emulated", "couchbase_payload", "net_couchbase_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 01:11:04 UTC	TCP	8091 · COUCHBASE	couchbase	Sonde HTTP Sonde HTTP · via COUCHBASE:8091 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur COUCHBASE WAF — Recommandation Surveiller Tags couchbase_emulated couchbase_payload mozi_pattern net_couchbase_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Service COUCHBASE Payload HEAD / HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a", "emulator_response_len": 40, "bytes_in": 93, "payload_entropy": 5.185251251987226, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "couchbase", "app_proto": "couchbase", "asn": 16509, "country": "US", "dst_port": 8091, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "810d1d1022f8bfbfccdfa39598b2ffefaaa839f3", "event_fingerprint": "9e9deeb6547e6521ff916066811968748b0cf23e", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "couchbase", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c5cd5325da6af7b4b3283ad8e19e392b", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 8091, "service": "couchbase", "service_name": "couchbase", "risk_score": 42 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b951ee9f22d322f12b8b4870fe75921c3d617e0", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "couchbase", "service_label_fr": "COUCHBASE", "dst_port": 8091, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-couchbase", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "attack_vector": "Sonde HTTP \u00b7 via COUCHBASE:8091 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "couchbase", "service_banner": "honeypot-couchbase", "service_os": "linux", "dst_port": "8091" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 4, "multi_protocol_sample": [ "couchbase", "http", "http-alt-8040", "rtcp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "couchbase_emulated", "couchbase_payload", "mozi_pattern", "net_couchbase_probe" ], "asn_dc_heuristic": true }
18/06/2026 01:09:42 UTC	TCP	5005 · RTCP	rtcp	Sonde HTTP Sonde HTTP · via RTCP:5005 · (sonde / probe)	Élevée	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTCP WAF — Recommandation Surveiller Tags mozi_pattern net_mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5005 Chemin / cible — Service RTCP Payload HEAD / HTTP/1.1 Host: 62.3.50.33:5005 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0419 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) HTTP HEAD method User-Agent — Règles WAF — Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:5005 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74207274637020726561647920706f72743d353030350d0a", "emulator_response_len": 35, "bytes_in": 93, "payload_entropy": 5.111544230779986, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "rtcp", "app_proto": "rtcp", "asn": 16509, "country": "US", "dst_port": 5005, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 44, "tag_count": 2, "anomaly_count": 0, "campaign_key": "21235df30f83d4fb1095063fa6f63a07d2c67820", "event_fingerprint": "2eff11117aba3b41665d6c6eb4a00aa259989d28", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0419" ], "kb_rule_ids": [ "pat-0419" ], "matched_patterns": [ "pat-0419" ], "matched_pattern_names": [ "HTTP HEAD method" ], "pattern_ids": [ "pat-0419" ], "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "rtcp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1a4e06c4ba417c3ea690ba5ba949e0d9", "path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae" }, "target_context": { "dst_port": 5005, "service": "rtcp", "service_name": "rtcp", "risk_score": 44 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87621f11d69e2f4c1d183df45b685894d8a834f9", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 5005, "service": "rtcp", "service_label_fr": "RTCP" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "Sonde HTTP \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)", "target_port_label": "5005 \u00b7 RTCP", "emulator_service": "rtcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": "rtcp", "service_label_fr": "RTCP", "dst_port": 5005, "protocol_emulated": true, "tags_summary": [ "pat-0419" ], "tags_summary_labels_fr": [ "pat-0419" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtcp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 5005, "service": "rtcp", "service_label_fr": "RTCP" }, "attack_vector": "Sonde HTTP \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:5005\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "5005 \u00b7 RTCP", "emulator_service": "rtcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtcp", "service_banner": "honeypot-rtcp", "service_os": "linux", "dst_port": "5005" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "http-alt-8040", "rtcp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mozi_pattern", "net_mozi_pattern" ], "asn_dc_heuristic": true }
18/06/2026 01:09:41 UTC	TCP	5005 · RTCP	rtcp	Sonde PostgreSQL postgres probe · via RTCP:5005 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTCP WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5005 Chemin / cible — Service RTCP Payload ��u�?�/��'A'N/}��}�)�HLdL�;d ��~��ť[��\|��L8努9��7�_�M; �+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��u�?�/��'A'N/}��}�)�HLdL�;d ��~��ť[��\|��L8努9��7�_�M; �+�/�,�0̨̩� �� q� Requête brute (extrait) ��u�?�/��'A'N/}��}�)�HLdL�;d ��~��ť[��\|��L8努9��7�_�M; �+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��fvHD� Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74207274637020726561647920706f72743d353030350d0a", "emulator_response_len": 35, "bytes_in": 1501, "payload_entropy": 7.733880503378278, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "rtcp", "app_proto": "rtcp", "asn": 16509, "country": "US", "dst_port": 5005, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "113d59398490dcab045104e0dc3f331b7dd31205", "event_fingerprint": "606c6359759c484b0a1a45484ef7da5fe50e5232", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "rtcp", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3b26c5471ddb79ba311d6097c2a428f1", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 5005, "service": "rtcp", "service_name": "rtcp", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003u\ufffd?\ufffd\/\u001a\ufffd\ufffd'A'N\/}\u0004\u0007\ufffd\ufffd}\ufffd)\u0011\u0005\ufffdHLdL\ufffd;d\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa\u00139\ufffd\ufffd7\u001b\ufffd_\ufffdM;\r\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003u\ufffd?\ufffd\/\u001a\ufffd\ufffd'A'N\/}\u0004\u0007\ufffd\ufffd}\ufffd)\u0011\u0005\ufffdHLdL\ufffd;d\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa\u00139\ufffd\ufffd7\u001b\ufffd_\ufffdM;\r\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffdfvHD\u0017\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003u\ufffd?\ufffd\/\u001a\ufffd\ufffd'A'N\/}\u0004\u0007\ufffd\ufffd}\ufffd)\u0011\u0005\ufffdHLdL\ufffd;d\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa\u00139\ufffd\ufffd7\u001b\ufffd_\ufffdM;\r\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bab1ce74326f2125d76535c14fe1db07a735540", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003u\ufffd?\ufffd\/\u001a\ufffd\ufffd'A'N\/}\u0004\u0007\ufffd\ufffd}\ufffd)\u0011\u0005\ufffdHLdL\ufffd;d\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa\u00139\ufffd\ufffd7\u001b\ufffd_\ufffdM;\r\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 5005, "service": "rtcp", "service_label_fr": "RTCP" }, "evidence_snippet": "\ufffd\ufffdu\ufffd?\ufffd\/\ufffd\ufffd'A'N\/}\ufffd\ufffd}\ufffd)\ufffdHLdL\ufffd;d \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa9\ufffd\ufffd7\ufffd_\ufffdM;\r\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)", "target_port_label": "5005 \u00b7 RTCP", "emulator_service": "rtcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "rtcp", "service_label_fr": "RTCP", "dst_port": 5005, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtcp", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003u\ufffd?\ufffd\/\u001a\ufffd\ufffd'A'N\/}\u0004\u0007\ufffd\ufffd}\ufffd)\u0011\u0005\ufffdHLdL\ufffd;d\u0017 \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa\u00139\ufffd\ufffd7\u001b\ufffd_\ufffdM;\r\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 5005, "service": "rtcp", "service_label_fr": "RTCP" }, "attack_vector": "postgres probe \u00b7 via RTCP:5005 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdu\ufffd?\ufffd\/\ufffd\ufffd'A'N\/}\ufffd\ufffd}\ufffd)\ufffdHLdL\ufffd;d \ufffd\ufffd~\ufffd\ufffd\ufffd\u0165[\ufffd\ufffd\|\ufffd\ufffdL8\u52aa9\ufffd\ufffd7\ufffd_\ufffdM;\r\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "5005 \u00b7 RTCP", "emulator_service": "rtcp", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtcp", "service_banner": "honeypot-rtcp", "service_os": "linux", "dst_port": "5005" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "http-alt-8040", "rtcp" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 01:06:54 UTC	TCP	8040 · HTTP ALT 8040	http-alt-8040	Sonde PostgreSQL postgres probe · via HTTP ALT 8040:8040 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8040 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8040 Chemin / cible — Service HTTP ALT 8040 Payload ��4�(��q%�M��%Ҙ�� 1��Q�$�� }dK\|% _5Yp�� +"��\|�G� +M⎋y0��+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��4�(��q%�M��%Ҙ�� 1��Q�$�� }dK\|%_5Yp��+"��\|�G� +M⎋y0��+�/�,�0̨̩� �� q� Requête brute (extrait) ��4�(��q%�M��%Ҙ�� 1��Q�$�� }dK\|% _5Yp�� +"��\|�G� +M⎋y0��+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��"&K Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1501, "payload_entropy": 7.73511735158087, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http-alt-8040", "app_proto": "http-alt-8040", "asn": 16509, "country": "US", "dst_port": 8040, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a7294fb57e5d1bd7f515642bfb7d775028264167", "event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8040", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4a15c75b394a74264ee974312f8ead8c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8040, "service": "http-alt-8040", "service_name": "http-alt-8040", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00034\ufffd(\ufffd\ufffd\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%\f_5Yp\ufffd\ufffd\f+\"\ufffd\u0000\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00034\ufffd(\ufffd\ufffd\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%\f_5Yp\ufffd\ufffd\f+\"\ufffd\u0000\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\ufffd\"&\u001dK", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00034\ufffd(\ufffd\ufffd\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%\f_5Yp\ufffd\ufffd\f+\"\ufffd\u0000\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c02544db2db86115262a22ab493da8f48fd39720", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00034\ufffd(\ufffd\ufffd\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%\f_5Yp\ufffd\ufffd\f+\"\ufffd\u0000\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 8040, "service": "http-alt-8040", "service_label_fr": "HTTP ALT 8040" }, "evidence_snippet": "\ufffd\ufffd4\ufffd(\ufffd\ufffd\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%_5Yp\ufffd\ufffd+\"\ufffd\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)", "target_port_label": "8040 \u00b7 HTTP ALT 8040", "emulator_service": "http-alt-8040", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8040", "service_label_fr": "HTTP ALT 8040", "dst_port": 8040, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8040", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00034\ufffd(\ufffd\ufffd\u0003\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\b\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%\f_5Yp\ufffd\ufffd\f+\"\ufffd\u0000\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 8040, "service": "http-alt-8040", "service_label_fr": "HTTP ALT 8040" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd4\ufffd(\ufffd\ufffd\ufffdq%\ufffdM\ufffd\ufffd\ufffd\ufffd\ufffd%\u0498\ufffd\ufffd\r1\ufffd\ufffdQ\ufffd$\ufffd\ufffd\ufffd }dK\|%_5Yp\ufffd\ufffd+\"\ufffd\ufffd\ufffd\|\ufffdG\ufffd +M\u238by0\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "8040 \u00b7 HTTP ALT 8040", "emulator_service": "http-alt-8040", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8040", "service_banner": "honeypot-http-alt-8040", "service_os": "linux", "dst_port": "8040" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
18/06/2026 01:06:54 UTC	TCP	8040 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8040 · (tentative d'exploit)	Élevée	Moyen · 51
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole HEAD / UA Mozilla/5.0 (compatible; Checker/2.0) Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP HEAD / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8040 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 51 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `HEAD / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Checker/2.0) Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "ec529202294adb98b7799d83e8a9f547c3148bfe", "http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 93, "payload_entropy": 5.176060359812244, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8040, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0230c466a95c1b77f2132c60e1f0bd624096aa92", "event_fingerprint": "6b48df12f748b1fa3e8f3ce127735f04dd41e370", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e319be119abe500f1e7bd2d554725116", "payload_hash": "0a15d71372e98167bc4aabe04887d9d0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8040, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "method": "HEAD", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "HEAD \/ HTTP\/1.1", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "method": "HEAD", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "HEAD \/ HTTP\/1.1", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c8035933b72bc59de3632b7f7c97254bb1748957", "protocol_details": { "http_method": "HEAD", "http_path": "\/", "request_line": "HEAD \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 8040, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "exploit attempt \u00b7 via HTTP:8040 \u00b7 (tentative d'exploit)", "target_port_label": "8040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 51, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8040, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "HEAD", "http_path": "\/", "request_line": "HEAD \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 8040, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8040 \u00b7 (tentative d'exploit)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "8040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8040" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8040" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
18/06/2026 01:01:13 UTC	TCP	7443 · ORACLE EM	oracle-em	Sonde PostgreSQL postgres probe · via ORACLE EM:7443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ORACLE-EM WAF — Recommandation Surveiller Tags net_oracle_tns_probe oracle_em_emulated oracle_em_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7443 Chemin / cible — Service ORACLE EM Payload ��[�ү�U��+�U"o��O��u�[/�CÁ �v�g�/��m t�s��Ʉ-�,߽�}��+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��[�ү�U��+�U"o��O��u�[/�CÁ �v�g�/��m t�s��Ʉ-�,߽�}��+�/�,�0̨̩� �� q� Requête brute (extrait) ��[�ү�U��+�U"o��O��u�[/�CÁ �v�g�/��m t�s��Ʉ-�,߽�}��+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��&m�#�! Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1501, "payload_entropy": 7.699430398259925, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "oracle-em", "app_proto": "oracle-em", "asn": 16509, "country": "US", "dst_port": 7443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4f4acff4c9041c67c73fa498ee94611b63a0dc4b", "event_fingerprint": "3f1d4b52645bcd9531502ab86dc099f88926bef6", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "oracle-em", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "33a4cde669b6bf76c1813f1cffc80849", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 7443, "service": "oracle-em", "service_name": "oracle-em", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\u0015+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\u001d\/\ufffd\ufffdm\rt\ufffds\u000e\ufffd\u0004\ufffd\ufffd\u0244-\ufffd,\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\u0015+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\u001d\/\ufffd\ufffdm\rt\ufffds\u000e\ufffd\u0004\ufffd\ufffd\u0244-\ufffd,\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd&m\ufffd#\ufffd!", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\u0015+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\u001d\/\ufffd\ufffdm\rt\ufffds\u000e\ufffd\u0004\ufffd\ufffd\u0244-\ufffd,\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5c5f8c0aa680054da4261bbfd33fd41e8712c993", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\u0015+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\u001d\/\ufffd\ufffdm\rt\ufffds\u000e\ufffd\u0004\ufffd\ufffd\u0244-\ufffd,\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 7443, "service": "oracle-em", "service_label_fr": "ORACLE EM" }, "evidence_snippet": "\ufffd\ufffd\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\/\ufffd\ufffdm\rt\ufffds\ufffd\ufffd\ufffd\u0244-\ufffd,\u07fd\ufffd}\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)", "target_port_label": "7443 \u00b7 ORACLE EM", "emulator_service": "oracle-em", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "oracle-em", "service_label_fr": "ORACLE EM", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-oracle-em", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\u001e\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd\u0015+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\u0014\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\u001d\/\ufffd\ufffdm\rt\ufffds\u000e\ufffd\u0004\ufffd\ufffd\u0244-\ufffd,\u0014\u07fd\ufffd}\ufffd\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 7443, "service": "oracle-em", "service_label_fr": "ORACLE EM" }, "attack_vector": "postgres probe \u00b7 via ORACLE EM:7443 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd[\ufffd\u04af\ufffdU\ufffd\ufffd+\ufffdU\"o\ufffd\ufffd\ufffdO\ufffd\ufffdu\ufffd[\/\ufffdC\u00c1 \ufffdv\ufffdg\ufffd\/\ufffd\ufffdm\rt\ufffds\ufffd\ufffd\ufffd\u0244-\ufffd,\u07fd\ufffd}\ufffd\ufffd\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "7443 \u00b7 ORACLE EM", "emulator_service": "oracle-em", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "oracle_em", "service_banner": "honeypot-oracle-em", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_oracle_tns_probe", "oracle_em_emulated", "oracle_em_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
18/06/2026 01:01:13 UTC	TCP	7443 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:7443 · (tentative d'exploit)	Élevée	Moyen · 50
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole HEAD / UA Mozilla/5.0 (compatible; Checker/2.0) Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP HEAD / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 7443 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 50 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `HEAD / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Checker/2.0) Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) HEAD / HTTP/1.1 Host: 62.3.50.33:7443 User-Agent: Mozilla/5.0 (compatible; Checker/2.0) Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "ec529202294adb98b7799d83e8a9f547c3148bfe", "http_host_hash": "3207cc58a88e4dd65c61f1b1f14e699cc0722bbe", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 93, "payload_entropy": 5.1933683219029625, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 7443, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 50, "tag_count": 4, "anomaly_count": 0, "campaign_key": "40005da017bef00b97976ebf3705f97aaa28ab5f", "event_fingerprint": "461b83f7014fe619299b1b3ff6a2153181db3ce3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 50, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e319be119abe500f1e7bd2d554725116", "payload_hash": "f9e6f14aed619a38d63ca9d792c7b601", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7443, "service": "http", "service_name": "http", "risk_score": 50 }, "payload_preview": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "method": "HEAD", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "HEAD \/ HTTP\/1.1", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "evidence": { "method": "HEAD", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "HEAD \/ HTTP\/1.1", "request_sample": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)\r\n\r\n", "payload_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1cc6c958221858ffd0db9dec62d0c860dfefb2c9", "protocol_details": { "http_method": "HEAD", "http_path": "\/", "request_line": "HEAD \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "attack_vector": "exploit attempt \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit)", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 50, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 50, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "HEAD", "http_path": "\/", "request_line": "HEAD \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Checker\/2.0)", "port": 7443, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:7443 \u00b7 (tentative d'exploit)", "evidence_snippet": "HEAD \/ HTTP\/1.1\r\nHost: 62.3.50.33:7443\r\nUser-Agent: Mozilla\/5.0 (compatible; Checker\/2.0)", "target_port_label": "7443 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "oracle-em" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
18/06/2026 00:34:27 UTC	TCP	8565 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8565 · (sonde / probe)	Moyenne	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 60828da5b42313d1 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8565 Chemin / cible — Service TLS Payload ��<�S\��#u��c��<��i�dS�3T�� ٤�RWt�B^\�?�� \|��=��Mw뼸�x��+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��<�S\��#u��c��<��i�dS�3T�� ٤�RWt�B^\�?�� \|��=��Mw뼸�x��+�/�,�0̨̩� �� q� Requête brute (extrait) ��<�S\��#u��c��<��i�dS�3T�� ٤�RWt�B^\�?�� \|��=��Mw뼸�x��+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��Ö>�Ua Meta JSON brut { "tls_ja3_hash": "60828da5b42313d165aae2938e651b72", "tls_sni": null, "tls_alpn": [ "h2", "http\/1.1" ], "bytes_in": 1501, "payload_entropy": 7.738352704481345, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8565, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "416df83980eb1ab90924a31939a084c5d38dc39d", "event_fingerprint": "a226d5472e822adfaa5c91623ff375cf37f3614a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "60828da5b42313d165aae2938e651b72", "payload_hash": "02fe93415be3e795510b6c8cf008defb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8565, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd<\u0012\ufffdS\\\ufffd\b\ufffd#u\ufffd\ufffd\u0004\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\u0014\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd<\u0012\ufffdS\\\ufffd\b\ufffd#u\ufffd\ufffd\u0004\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\u0014\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u00d6>\ufffdUa\u0002", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd<\u0012\ufffdS\\\ufffd\b\ufffd#u\ufffd\ufffd\u0004\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\u0014\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ffd0d98796854c919302b7f8fc3c3c4334ceb737", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd<\u0012\ufffdS\\\ufffd\b\ufffd#u\ufffd\ufffd\u0004\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\u0014\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "60828da5b42313d165aae2938e651b72", "port": 8565, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd<\ufffdS\\\ufffd\ufffd#u\ufffd\ufffd\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8565 \u00b7 (sonde \/ probe)", "target_port_label": "8565 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8565, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd<\u0012\ufffdS\\\ufffd\b\ufffd#u\ufffd\ufffd\u0004\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\u0014\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "tls_ja3": "60828da5b42313d165aae2938e651b72", "port": 8565, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8565 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd<\ufffdS\\\ufffd\ufffd#u\ufffd\ufffd\ufffdc\ufffd\ufffd<\ufffd\ufffdi\ufffddS\ufffd3T\ufffd\ufffd\ufffd \u0664\ufffdRWt\ufffdB^\\\ufffd?\ufffd\ufffd\t\|\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffdMw\ubf38\ufffdx\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "8565 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8565" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni" ], "asn_dc_heuristic": true }
18/06/2026 00:03:26 UTC	TCP	53 · DNS	dns	Sonde PostgreSQL postgres probe · via DNS:53 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur DNS WAF — Recommandation Surveiller Tags dns_emulated dns_payload net_dns_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 53 Chemin / cible — Service DNS Payload ��"��imd`��Ȥ^yY7�N9�8k�� v��/Y�b�T#^��nR ��Z\�+�/�,�0̨̩� �� q � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��"��imd`��Ȥ^yY7�N9�8k�� v��/Y�b�T#^��nR��Z\�+�/�,�0̨̩� �� q� Requête brute (extrait) ��"��imd`��Ȥ^yY7�N9�8k�� v��/Y�b�T#^��nR ��Z\�+�/�,�0̨̩� �� q � �� 2 h2http/1.1+3��(w�:\| Meta JSON brut { "protocol_emulated": true, "emulator_response": "16038003d8010000d40303d8d7f007d4f822e9cfdd696d6460c1db1ec8a45e795937c44e39f1386bdfcf1820171cec06769e982f599462c287d854235ee7e86e52020c7f96bbf2fc895a5c04001ac02bc02fc02cc030cca9cca8c009c013c00ac01413011302130301000571000b00020100ff01000100001700000012000000", "emulator_response_len": 1501, "bytes_in": 1501, "payload_entropy": 7.732440603697651, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "dns", "app_proto": "dns", "asn": 16509, "country": "US", "dst_port": 53, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 4, "anomaly_count": 0, "campaign_key": "99ca9d090780dd2d2524bc6eeb1fe5cba81a3a64", "event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "dns", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f3836c37f472eaac6f41a295f897c208", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 53, "service": "dns", "service_name": "dns", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\u0018 \u0017\u001c\ufffd\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\u0002\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\u0004\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\u0018 \u0017\u001c\ufffd\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\u0002\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\u0004\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\u0010\u0000\u000e\u0011\ufffd\u0011\ufffd\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u0016\u0000\u0014\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u00002\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd(w\ufffd:\|\u0002\u0013", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\u0018 \u0017\u001c\ufffd\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\u0002\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\u0004\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f3cdcb45fd214cc5b0d22da6688e7cdd1a83a20", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\u0018 \u0017\u001c\ufffd\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\u0002\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\u0004\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 53, "service": "dns", "service_label_fr": "DNS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd \ufffdv\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "attack_vector": "postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)", "target_port_label": "53 \u00b7 DNS", "emulator_service": "dns", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "dns", "service_label_fr": "DNS", "dst_port": 53, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-dns", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u001e\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd\u0018 \u0017\u001c\ufffd\u0006v\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\u0002\f\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\u0004\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005q\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "port": 53, "service": "dns", "service_label_fr": "DNS" }, "attack_vector": "postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\ufffdimd`\ufffd\ufffd\u0224^yY7\ufffdN9\ufffd8k\ufffd\ufffd \ufffdv\ufffd\ufffd\/Y\ufffdb\u0087\ufffdT#^\ufffd\ufffdnR\ufffd\ufffd\ufffd\ufffd\ufffdZ\\\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdq\ufffd", "target_port_label": "53 \u00b7 DNS", "emulator_service": "dns", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "dns", "service_banner": "honeypot-dns", "service_os": "linux", "dst_port": "53" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "dns_emulated", "dns_payload", "net_dns_probe", "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }

18.117.74.144

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence