19/06/2026 07:12:28 UTC
TCP
4433 · QUIC HTTP3 STUB
quic probe
quic probe · via QUIC HTTP3 STUB:4433 · (sonde / probe)
Élevée
Faible · 33
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
QUIC-HTTP3-STUB
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_quic_probe
quic_http3_stub_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
4433
Chemin / cible
—
Service
QUIC HTTP3 STUB
Payload
GET / HTTP/1.1 Host: 62.3.50.33:4433 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Pourquoi cette classification : Type « quic_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4433
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:4433 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0c00000000485454502f3320686f6e6579706f7420737475620d0a",
"emulator_response_len": 27,
"bytes_in": 191,
"payload_entropy": 5.282072254328082,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "quic-http3-stub",
"app_proto": "quic-http3-stub",
"asn": 16509,
"country": "US",
"dst_port": 4433,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 33,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "14d92daaaff81dcfbde8a9049295b48b4a641fa5",
"event_fingerprint": "69ec763c111675fc5207ef508e4abdef0f3279d4",
"classification_reason": "Type \u00ab quic_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "quic-http3-stub",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "def26d9d358387928fccd6de4dd0171d",
"path_pattern_hash": "9e995d52485cdb3f5eaf00457847ee42"
},
"target_context": {
"dst_port": 4433,
"service": "quic-http3-stub",
"service_name": "quic-http3-stub",
"risk_score": 33
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Type \u00ab quic_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ef6407f75feefd29d980ba6df77175308957a83d",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"port": 4433,
"service": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "quic probe \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (sonde \/ probe)",
"target_port_label": "4433 \u00b7 QUIC HTTP3 STUB",
"emulator_service": "quic-http3-stub",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab quic_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab quic_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB",
"dst_port": 4433,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-quic-http3-stub",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"port": 4433,
"service": "quic-http3-stub",
"service_label_fr": "QUIC HTTP3 STUB"
},
"attack_vector": "quic probe \u00b7 via QUIC HTTP3 STUB:4433 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4433\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "4433 \u00b7 QUIC HTTP3 STUB",
"emulator_service": "quic-http3-stub",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "quic_http3_stub",
"service_banner": "honeypot-quic-http3-stub",
"service_os": "linux",
"dst_port": "4433"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_quic_probe",
"quic_http3_stub_emulated",
"quic_http3_stub_payload"
],
"asn_dc_heuristic": true
}
19/06/2026 06:42:47 UTC
TCP
9600 · TLS
Scan de ports
port scan syn · via TLS:9600 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9600
Chemin / cible
—
Service
TLS
Payload
�����������"��3)���@{��R��џ�E��ճWә�G�kW} X�{�yl{�}��g�� i�I����$b��{��<���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������"��3)���@{��R��џ�E��ճWә�G�kW} X�{�yl{�}��g�� i�I����$b��{��<���&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������"��3)���@{��R��џ�E��ճWә�G�kW} X�{�yl{�}��g�� i�I����$b��{��<���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� R ����*RwXRJ�� q� j9v��+���W)
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.740478600481189,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 9600,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "cbe9745b45d433552c71698b09c54fb045066728",
"event_fingerprint": "d28f499461f32da7a9d1d0d628b7cc70b8a6ba25",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "bfa92d53fb73c8a4953ab988222d2543",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9600,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffd\u00013)\ufffd\ufffd\u0006@{\ufffd\ufffdR\ufffd\ufffd\u045f\u001aE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\u0015\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffd\u00013)\ufffd\ufffd\u0006@{\ufffd\ufffdR\ufffd\ufffd\u045f\u001aE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\u0015\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 R\r\ufffd\ufffd\ufffd\u0002*RwXR\ue4c3J\ufffd\ufffd\nq\u001d\fj9v\ufffd\ufffd+\ufffd\ufffd\ufffdW)",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffd\u00013)\ufffd\ufffd\u0006@{\ufffd\ufffdR\ufffd\ufffd\u045f\u001aE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\u0015\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0f926e02361d03ea6bf7ab414daf8e7e1f370711",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffd\u00013)\ufffd\ufffd\u0006@{\ufffd\ufffdR\ufffd\ufffd\u045f\u001aE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\u0015\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9600,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\"\ufffd3)\ufffd\ufffd@{\ufffd\ufffdR\ufffd\ufffd\u045fE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "port scan syn \u00b7 via TLS:9600 \u00b7 (reconnaissance)",
"target_port_label": "9600 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\"\ufffd\u00013)\ufffd\ufffd\u0006@{\ufffd\ufffdR\ufffd\ufffd\u045f\u001aE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\u0015\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9600,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:9600 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\"\ufffd3)\ufffd\ufffd@{\ufffd\ufffdR\ufffd\ufffd\u045fE\ufffd\ufffd\u0573W\u04d9\ufffdG\ufffdkW} X\ufffd{\ufffdyl{\ufffd}\ufffd\ufffdg\ufffd\ufffd\ti\ufffdI\ufffd\ufffd\ufffd$b\ufffd\ufffd{\ufffd\ufffd<\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "9600 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
19/06/2026 06:42:08 UTC
TCP
9600 · TLS
Scan de ports
port scan syn · via TLS:9600 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9600
Chemin / cible
—
Service
TLS
Payload
�����������B?m8N5�������֤Ww� ^d�����.+��>� ��5m+9ϖq��R�������@W�-.&��@u����&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������B?m8N5�������֤Ww��^d�����.+��>� ��5m+9ϖq��R�������@W�-.&��@u����&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�����������B?m8N5�������֤Ww� ^d�����.+��>� ��5m+9ϖq��R�������@W�-.&��@u����&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �J�~N�J�l���Ʊ��w��9w{�W>��
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.900772703204928,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 9600,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "cbe9745b45d433552c71698b09c54fb045066728",
"event_fingerprint": "1c94229648c129bee7c1e4caaffbc85972f1b94a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "c3ae6ea8b655057891e37444194fa562",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 9600,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003B?m8N5\ufffd\ufffd\u0001\u0012\ufffd\ufffd\ufffd\u05a4Ww\ufffd\u000b^d\ufffd\ufffd\ufffd\ufffd\u0007.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffd\u000fR\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd\u0019\u0012\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003B?m8N5\ufffd\ufffd\u0001\u0012\ufffd\ufffd\ufffd\u05a4Ww\ufffd\u000b^d\ufffd\ufffd\ufffd\ufffd\u0007.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffd\u000fR\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd\u0019\u0012\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdJ\ufffd~N\u000fJ\ufffdl\ufffd\ufffd\ufffd\u01b1\ufffd\ufffdw\ufffd\ufffd9w{\ufffdW>\u0014\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003B?m8N5\ufffd\ufffd\u0001\u0012\ufffd\ufffd\ufffd\u05a4Ww\ufffd\u000b^d\ufffd\ufffd\ufffd\ufffd\u0007.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffd\u000fR\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd\u0019\u0012\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2522c67943aa356a67e2f55760aca45ee97f155e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003B?m8N5\ufffd\ufffd\u0001\u0012\ufffd\ufffd\ufffd\u05a4Ww\ufffd\u000b^d\ufffd\ufffd\ufffd\ufffd\u0007.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffd\u000fR\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd\u0019\u0012\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 9600,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffdB?m8N5\ufffd\ufffd\ufffd\ufffd\ufffd\u05a4Ww\ufffd^d\ufffd\ufffd\ufffd\ufffd.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via TLS:9600 \u00b7 (reconnaissance)",
"target_port_label": "9600 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003B?m8N5\ufffd\ufffd\u0001\u0012\ufffd\ufffd\ufffd\u05a4Ww\ufffd\u000b^d\ufffd\ufffd\ufffd\ufffd\u0007.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffd\u000fR\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd\u0019\u0012\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 9600,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:9600 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffdB?m8N5\ufffd\ufffd\ufffd\ufffd\ufffd\u05a4Ww\ufffd^d\ufffd\ufffd\ufffd\ufffd.+\ufffd\ufffd>\ufffd \ufffd\ufffd5m+9\u03d6q\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@W\ufffd-.&\ufffd\ufffd@u\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "9600 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
19/06/2026 06:41:55 UTC
TCP
8389 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8389 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8389
Chemin / cible
—
Service
TLS
Payload
���������������;J�������S���5����j���Y5��� i��{��d���"4�,��.��_����mx���K�w�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������;J�������S���5����j���Y5��� i��{��d���"4�,��.��_����mx���K�w�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
���������������;J�������S���5����j���Y5��� i��{��d���"4�,��.��_����mx���K�w�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �$7(/�-� ��?����f� w�K���M{�.��R
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.779111676499495,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 8389,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5d7a73691ab94010c0bb3603316de0f726ec73d8",
"event_fingerprint": "be9bcd36b094800d01a8aba9f803a386bba23f9c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "20153d8501bf8af39e46b07d6b4427f8",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8389,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u001c5\ufffd\ufffd\ufffd\u0012j\ufffd\u0014\ufffdY5\ufffd\u0015\ufffd i\ufffd\ufffd{\u0011\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd\b.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdK\u0019w\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u001c5\ufffd\ufffd\ufffd\u0012j\ufffd\u0014\ufffdY5\ufffd\u0015\ufffd i\ufffd\ufffd{\u0011\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd\b.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdK\u0019w\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd$7(\/\u0000-\u0011\r\ufffd\ufffd?\ufffd\ufffd\ufffd\u001ff\ufffd\u000bw\ufffdK\u0010\ufffd\ufffdM{\ufffd.\ufffd\ufffdR",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u001c5\ufffd\ufffd\ufffd\u0012j\ufffd\u0014\ufffdY5\ufffd\u0015\ufffd i\ufffd\ufffd{\u0011\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd\b.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdK\u0019w\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "577b7da6785bd8441901b3525a1b2f954bad1b31",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u001c5\ufffd\ufffd\ufffd\u0012j\ufffd\u0014\ufffdY5\ufffd\u0015\ufffd i\ufffd\ufffd{\u0011\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd\b.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdK\u0019w\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8389,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd5\ufffd\ufffd\ufffdj\ufffd\ufffdY5\ufffd\ufffd i\ufffd\ufffd{\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdKw&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:8389 \u00b7 (sonde \/ probe)",
"target_port_label": "8389 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8389,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u001c5\ufffd\ufffd\ufffd\u0012j\ufffd\u0014\ufffdY5\ufffd\u0015\ufffd i\ufffd\ufffd{\u0011\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd\b.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdK\u0019w\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8389,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8389 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;J\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd5\ufffd\ufffd\ufffdj\ufffd\ufffdY5\ufffd\ufffd i\ufffd\ufffd{\ufffdd\ufffd\ufffd\ufffd\"4\ufffd,\ufffd.\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdmx\ufffd\ufffd\ufffdKw&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8389 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8389"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
19/06/2026 06:41:54 UTC
TCP
1963 · TLS
Sonde PostgreSQL
postgres probe · via TLS:1963 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
1963
Chemin / cible
—
Service
TLS
Payload
���������������)�S�nf�_n }�m�����c*����Ѱ_ �c�Jp��<U�_��������ԍa,ɣ˜���$T�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������)�S�nf�_n
}�m�����c*����Ѱ_ �c�Jp��<U�_��������ԍa,ɣ˜���$T�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
���������������)�S�nf�_n }�m�����c*����Ѱ_ �c�Jp��<U�_��������ԍa,ɣ˜���$T�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �)S!����C�r���al�2���}^Z��7$�c�
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.79985909242716,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 1963,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "aec791e069ea8597c13e436b512e5a626e94c7a4",
"event_fingerprint": "7f6ca270d6562f05b62f0df1744b5d3d6371467e",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "3be165ece85ad5fa25b24f7cd4fc72ae",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1963,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0015)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffd\u0018c*\ufffd\u0005\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\u0006\ufffd$T\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0015)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffd\u0018c*\ufffd\u0005\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\u0006\ufffd$T\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000b\ufffd)S!\ufffd\u0004\ufffd\ufffdC\ufffdr\u000e\u0019\ufffdal\ufffd2\ufffd\ufffd\ufffd}^Z\ufffd\u001c7$\ufffdc\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0015)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffd\u0018c*\ufffd\u0005\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\u0006\ufffd$T\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b802eeb3037b1095c690e388b3eeb1f40982ce38",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0015)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffd\u0018c*\ufffd\u0005\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\u0006\ufffd$T\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1963,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffdc*\ufffd\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\ufffd$T&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)",
"target_port_label": "1963 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 1963,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0015)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffd\u0018c*\ufffd\u0005\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\u0006\ufffd$T\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1963,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd)\ufffdS\ufffdnf\ufffd_n\r}\ufffdm\ufffd\ufffd\ufffd\ufffdc*\ufffd\ufffd\ufffd\u0470_ \ufffdc\ufffdJp\ufffd\ufffd<U\ufffd_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u050da,\u0263\u02dc\ufffd\ufffd$T&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "1963 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "1963"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
19/06/2026 06:40:49 UTC
TCP
1963 · TLS
Scan de ports
port scan syn · via TLS:1963 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
1963
Chemin / cible
—
Service
TLS
Payload
�������������ԧ���\i��K����A��r�j���ug��� �����/�xW�X���Td��">��A�=Sk��&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������ԧ���\i��K����A��r�j���ug��� �����/�xW�X���Td��">��A�=Sk��&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
�������������ԧ���\i��K����A��r�j���ug��� �����/�xW�X���Td��">��A�=Sk��&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� ���� �p�|���Y�Vs����� �����
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.970287249871821,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 1963,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "aec791e069ea8597c13e436b512e5a626e94c7a4",
"event_fingerprint": "8bcecab39cd1c355cfaad9c915da86f7b2e355d2",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "8c81b0d9ce483e1488982a28d60a2a0f",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 1963,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\u001d\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\u0013\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\u0018\/\u001dxW\ufffdX\ufffd\u0002\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\u001d\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\u0013\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\u0018\/\u001dxW\ufffdX\ufffd\u0002\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\r\u0018p\ufffd|\ufffd\ufffd\ufffdY\ufffdVs\ufffd\ufffd\u001b\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\u001d\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\u0013\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\u0018\/\u001dxW\ufffdX\ufffd\u0002\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d9f5558452049d347dca95035b1f6d4183fd24d6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\u001d\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\u0013\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\u0018\/\u001dxW\ufffdX\ufffd\u0002\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 1963,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\/xW\ufffdX\ufffd\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "port scan syn \u00b7 via TLS:1963 \u00b7 (reconnaissance)",
"target_port_label": "1963 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 1963,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\u001d\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\u0013\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\u0018\/\u001dxW\ufffdX\ufffd\u0002\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 1963,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:1963 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u0527\ufffd\ufffd\ufffd\\i\ufffd\ufffdK\ufffd\ufffd\ufffdA\ufffd\ufffdr\ufffdj\ufffd\ufffdug\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\/xW\ufffdX\ufffd\ufffdTd\ufffd\ufffd\">\ufffd\ufffdA\ufffd=Sk\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "1963 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "1963"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
19/06/2026 06:40:39 UTC
TCP
8389 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8389 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8389
Chemin / cible
—
Service
TLS
Payload
������������4�$b��#��� �\�z�ZzG�#�µq�b�9X $�'�x�6����j�������W3�3�H&�.Ae�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������4�$b��#��� �\�z�ZzG�#�µq�b�9X $�'�x�6����j�������W3�3�H&�.Ae�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������4�$b��#��� �\�z�ZzG�#�µq�b�9X $�'�x�6����j�������W3�3�H&�.Ae�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� \�3Z,���[��u;r���ynOo��G���
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.864342200644046,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 8389,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "5d7a73691ab94010c0bb3603316de0f726ec73d8",
"event_fingerprint": "992256badd12ce4c6830a8b24f5db45e536a1263",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "bea52d2533ea79c9397fb0045d80331c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8389,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd$b\ufffd\u0012#\u0017\ufffd\u000f\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\b\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd$b\ufffd\u0012#\u0017\ufffd\u000f\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\b\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \\\u00053Z,\ufffd\u0015\u000e[\ufffd\ufffdu;r\ufffd\u0000\ufffdynOo\u0016\ufffdG\u0012\u0004\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd$b\ufffd\u0012#\u0017\ufffd\u000f\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\b\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "274580fb4e7e02f1e0016449f898567d900ec8be",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd$b\ufffd\u0012#\u0017\ufffd\u000f\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\b\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8389,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd4\ufffd$b\ufffd#\ufffd\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:8389 \u00b7 (sonde \/ probe)",
"target_port_label": "8389 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8389,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd4\ufffd$b\ufffd\u0012#\u0017\ufffd\u000f\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\b\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8389,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8389 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd4\ufffd$b\ufffd#\ufffd\t\ufffd\\\ufffdz\ufffdZzG\ufffd#\ufffd\u00b5q\ufffdb\ufffd9X $\ufffd'\ufffdx\ufffd6\ufffd\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW3\ufffd3\ufffdH&\ufffd.Ae&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8389 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8389"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:9600",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
19/06/2026 06:40:09 UTC
TCP
9600 · HTTP
Scan de ports
port scan syn · via HTTP:9600 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9600
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9600
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9600 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "44cc785096eee70b8adc49c022e7d721f0cbe382",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.273205796141991,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 9600,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "eddade8c8e796b81df524e242b580a2b99b83b38",
"event_fingerprint": "58945d40ae9ce74f64599613c1ed3764c76ba887",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "2cec5c8b466fbcacb4252ed5a4da66ce",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9600,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72d940e55f3206bace685b6451d777d53c97de24",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 9600,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)",
"target_port_label": "9600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 9600,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "9600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:9600"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
19/06/2026 06:39:28 UTC
TCP
1963 · HTTP
Scan de ports
port scan syn · via HTTP:1963 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1963
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1963
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1963 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "df1fa056ede7bb4d9931324d42f1394e668ba780",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.276818130884886,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 1963,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 53,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c493b36551d57983f8ecf31a9ee91b69d63b368e",
"event_fingerprint": "20c6f35db7bcf1ba6042009b1783128cf2bbbae8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "8bfff2f622512b235a8bf4ed9b178b88",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1963,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9409da5942525deee9dc74e0f4024d069ba3bb98",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1963,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "port scan syn \u00b7 via HTTP:1963 \u00b7 (reconnaissance)",
"target_port_label": "1963 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1963,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1963,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:1963 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "1963 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1963"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:9600"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
19/06/2026 06:39:27 UTC
TCP
8389 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8389 · (tentative d'exploit)
Élevée
Moyen · 52
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8389
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
70%
Corrélation +8
Risque capteur
Moyen
· 52
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8389
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8389 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "534d62b8b01958c48e8739a0641632a46691c3f6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.303756596998638,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8389,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 52,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "27876f4502289cfc391708eb6cec65aae847871f",
"event_fingerprint": "8d26aae4f27288501cdd2c23b7fc958ab95217ea",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.7,
"classification_confidence": 0.7,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "b95596dff5ce592ab9644600aefb09c1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8389,
"service": "http",
"service_name": "http",
"risk_score": 52
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba0703cb9bc4adb9c17390a9352cf2afae95ee1b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8389,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8389 \u00b7 (tentative d'exploit)",
"target_port_label": "8389 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 70,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 52,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8389,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8389,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8389 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8389 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8389"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:9600"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
19/06/2026 06:38:50 UTC
TCP
9600 · HTTP
Scan de ports
port scan syn · via HTTP:9600 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9600
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9600
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9600 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "44cc785096eee70b8adc49c022e7d721f0cbe382",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.273205796141991,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 9600,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "eddade8c8e796b81df524e242b580a2b99b83b38",
"event_fingerprint": "58945d40ae9ce74f64599613c1ed3764c76ba887",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "2cec5c8b466fbcacb4252ed5a4da66ce",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9600,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72d940e55f3206bace685b6451d777d53c97de24",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 9600,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)",
"target_port_label": "9600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 9600,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "9600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:9600"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
19/06/2026 06:38:41 UTC
TCP
9600
—
Scan de ports
port scan syn · port 9600 · (reconnaissance)
Faible
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9600
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance élevée (100 %) — signaux convergents
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 1,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "US",
"dst_port": 9600,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 42,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "59bc5b2b248ee57438fd916cdddb96d3a40f9993",
"event_fingerprint": "f8ac9459adbf20c43146378f9a039a2b57d0c159",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "01ba4719c80b6fe911b091a7c05124b6",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 9600,
"risk_score": 42
},
"payload_preview": "\n",
"request_sample": "\n",
"evidence": {
"request_sample": "\n",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8bafd2d1a4e5ed3c509de1514cd42e9867602e29",
"protocol_details": {
"port": 9600
},
"attack_vector": "port scan syn \u00b7 port 9600 \u00b7 (reconnaissance)",
"target_port_label": "9600",
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 9600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"port": 9600
},
"attack_vector": "port scan syn \u00b7 port 9600 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "9600",
"emulator_service": null,
"confidence_reason": "Confiance \u00e9lev\u00e9e (100 %) \u2014 signaux convergents",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "9600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:9600"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
19/06/2026 06:38:11 UTC
TCP
1963 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:1963 · (tentative d'exploit)
Élevée
Moyen · 50
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1963
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 50
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1963
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1963 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "df1fa056ede7bb4d9931324d42f1394e668ba780",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.276818130884886,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 1963,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 50,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "c493b36551d57983f8ecf31a9ee91b69d63b368e",
"event_fingerprint": "20c6f35db7bcf1ba6042009b1783128cf2bbbae8",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "8bfff2f622512b235a8bf4ed9b178b88",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1963,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "533f514f02650e1b3dcb27041baa8de67694f6f8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1963,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:1963 \u00b7 (tentative d'exploit)",
"target_port_label": "1963 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1963,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1963,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:1963 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1963\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "1963 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1963"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
19/06/2026 06:37:56 UTC
TCP
8389 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8389 · (tentative d'exploit)
Élevée
Moyen · 52
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8389
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 52
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8389
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8389 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "534d62b8b01958c48e8739a0641632a46691c3f6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.303756596998638,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8389,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 52,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "27876f4502289cfc391708eb6cec65aae847871f",
"event_fingerprint": "8d26aae4f27288501cdd2c23b7fc958ab95217ea",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "b95596dff5ce592ab9644600aefb09c1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8389,
"service": "http",
"service_name": "http",
"risk_score": 52
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba0703cb9bc4adb9c17390a9352cf2afae95ee1b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8389,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8389 \u00b7 (tentative d'exploit)",
"target_port_label": "8389 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8389,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8389,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8389 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8389\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8389 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8389"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}