18/06/2026 14:21:30 UTC
TCP
1443 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:1443 · (tentative d'exploit)
Élevée
Moyen · 51
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1443
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 51
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1443
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1443 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "e217923dbbc6bf0a923b5e203c553b7387e57d65",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.2833370444861245,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 1443,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 51,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3aec2bc13701e7f642862bc363526ffdebf08e0c",
"event_fingerprint": "695750416c522f0d0c1a4838a7a9c631fa155ff0",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 51
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "00a25c19db3d25f7cb785c114418d510",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1443,
"service": "http",
"service_name": "http",
"risk_score": 51
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5800b8d75c38991b4d93f7c8b2acd1ac8151c58c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:1443 \u00b7 (tentative d'exploit)",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 51
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1443,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:1443 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
18/06/2026 14:20:26 UTC
TCP
1443 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:1443 · (tentative d'exploit)
Élevée
Moyen · 51
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1443
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 51
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1443
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1443 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "e217923dbbc6bf0a923b5e203c553b7387e57d65",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.2833370444861245,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 1443,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 51,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3aec2bc13701e7f642862bc363526ffdebf08e0c",
"event_fingerprint": "695750416c522f0d0c1a4838a7a9c631fa155ff0",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 51
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "00a25c19db3d25f7cb785c114418d510",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1443,
"service": "http",
"service_name": "http",
"risk_score": 51
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5800b8d75c38991b4d93f7c8b2acd1ac8151c58c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:1443 \u00b7 (tentative d'exploit)",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 51
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1443,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:1443 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 96
}
18/06/2026 14:10:45 UTC
TCP
8099 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8099 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8099
Chemin / cible
—
Service
TLS
Payload
������������Bk����\��5����R�M{c��*��u^��=� ��`���^h�{�ݒ_%C$�=����Ĩ�S����[�&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������Bk����\��5����R�M{c��*��u^��=� ��`���^h�{�ݒ_%C$�=����Ĩ�S����[�&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������Bk����\��5����R�M{c��*��u^��=� ��`���^h�{�ݒ_%C$�=����Ĩ�S����[�&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� �����^�>e�mA��ݫ5,i�da8�a�
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.882299555149463,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 8099,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2a9a08889554eedc7720a64064e745e523131059",
"event_fingerprint": "7b7cdcacbed181792f6ba50fa8619fd53b1a9063",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "df0e45351708fadeb42a14ca9d8fc2a2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8099,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffd\u0018R\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \u0016\ufffd`\ufffd\u0003\ufffd^h\u0004{\ufffd\u0752_%C$\ufffd=\ufffd\u001a\u0000\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd\u0006[\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffd\u0018R\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \u0016\ufffd`\ufffd\u0003\ufffd^h\u0004{\ufffd\u0752_%C$\ufffd=\ufffd\u001a\u0000\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd\u0006[\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0006\ufffd\ufffd^\ufffd>e\u001bmA\ufffd\ufffd\u076b5,i\ufffdda8\ufffda\u001d",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffd\u0018R\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \u0016\ufffd`\ufffd\u0003\ufffd^h\u0004{\ufffd\u0752_%C$\ufffd=\ufffd\u001a\u0000\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd\u0006[\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "744442e319caa07ab041c7535353c9afd7749f9d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffd\u0018R\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \u0016\ufffd`\ufffd\u0003\ufffd^h\u0004{\ufffd\u0752_%C$\ufffd=\ufffd\u001a\u0000\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd\u0006[\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffdR\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \ufffd`\ufffd\ufffd^h{\ufffd\u0752_%C$\ufffd=\ufffd\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd[&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:8099 \u00b7 (sonde \/ probe)",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffd\u0018R\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \u0016\ufffd`\ufffd\u0003\ufffd^h\u0004{\ufffd\u0752_%C$\ufffd=\ufffd\u001a\u0000\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd\u0006[\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8099 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdBk\ufffd\ufffd\ufffd\ufffd\\\ufffd\ufffd5\ufffd\ufffd\ufffdR\ufffdM{c\ufffd\ufffd*\ufffd\ufffdu^\ufffd\ufffd=\ufffd \ufffd`\ufffd\ufffd^h{\ufffd\u0752_%C$\ufffd=\ufffd\ufffd\u0128\ufffdS\ufffd\ufffd\ufffd[&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:8099",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
18/06/2026 14:08:52 UTC
TCP
8099 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8099 · (tentative d'exploit)
Élevée
Moyen · 50
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8099
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
70%
Corrélation +8
Risque capteur
Moyen
· 50
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8099
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "611196ff5d5ba8288e3fb0ff9b6947637bff1fee",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.302491806840595,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8099,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 50,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3169cc3ba9e5637f5d023814eae0760ccd1df892",
"event_fingerprint": "3b7a33d80c2eef24d6c407cf752d20c697cf3ac4",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.7,
"classification_confidence": 0.7,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "8ecdc1e240abf9090b471be05c19ae6c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8099,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4b4543ca4cc287405870e0fd1f56aa33a805984",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8099,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8099 \u00b7 (tentative d'exploit)",
"target_port_label": "8099 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 70,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8099,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8099 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8099 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:8099"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
18/06/2026 14:07:46 UTC
TCP
8099 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8099 · (tentative d'exploit)
Élevée
Moyen · 50
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8099
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
70%
Corrélation +8
Risque capteur
Moyen
· 50
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8099
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "611196ff5d5ba8288e3fb0ff9b6947637bff1fee",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.302491806840595,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8099,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 50,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3169cc3ba9e5637f5d023814eae0760ccd1df892",
"event_fingerprint": "3b7a33d80c2eef24d6c407cf752d20c697cf3ac4",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.7,
"classification_confidence": 0.7,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "8ecdc1e240abf9090b471be05c19ae6c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8099,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d4b4543ca4cc287405870e0fd1f56aa33a805984",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8099,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8099 \u00b7 (tentative d'exploit)",
"target_port_label": "8099 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 70,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8099,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8099 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8099 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:8099"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 96
}
18/06/2026 14:06:35 UTC
TCP
8099
—
Sonde port
Sonde port · port 8099 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8099
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 1,
"payload_entropy": 0,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": null,
"app_proto": null,
"asn": 16509,
"country": "US",
"dst_port": 8099,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.3,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "23424a62c4fc211bbf8f587564ac79dc9185090a",
"event_fingerprint": "c66a669203297d3c1143b4ee1451551cbd8e079c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "01ba4719c80b6fe911b091a7c05124b6",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 8099,
"risk_score": 44
},
"payload_preview": "\n",
"request_sample": "\n",
"evidence": {
"request_sample": "\n",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "10eeb62fa1683e8f33defe7a45e1d22a6220bba3",
"protocol_details": {
"port": 8099
},
"attack_vector": "Sonde port \u00b7 port 8099 \u00b7 (sonde \/ probe)",
"target_port_label": "8099",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 8099
},
"attack_vector": "Sonde port \u00b7 port 8099 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8099",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
18/06/2026 13:54:49 UTC
TCP
8800 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8800 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8800
Chemin / cible
—
Service
TLS
Payload
����������� ;R&#R��)Gk����4$��[� bnV�4}1 �x�۟�1<����%� �+!Wm)f�,:����x=��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
;R&#R��)Gk����4$��[� bnV�4}1 �x�۟�1<����%� �+!Wm)f�,:����x=��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
����������� ;R&#R��)Gk����4$��[� bnV�4}1 �x�۟�1<����%� �+!Wm)f�,:����x=��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��� �%:,�q ��3GAZ�Ь�@��;�>���]
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.785004604878036,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 8800,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "19a05e91343d34e5dbb175b666e2d1ff588f8800",
"event_fingerprint": "c42768ca73332ece92bda214ce06e55f9927e0fe",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "a7ba68bd89d693ff1b650949c6dae8a4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8800,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r;R&#R\ufffd\ufffd)Gk\ufffd\u000e\ufffd\ufffd4$\u0001\ufffd[\u0017 bnV\u00104}1\ueb0c \ufffdx\ufffd\u06df\u000e1<\ufffd\ufffd\ufffd\u0011%\ufffd\t\u0016+!Wm)f\ufffd,:\ufffd\ufffd\u0013\ufffdx=\u001d\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r;R&#R\ufffd\ufffd)Gk\ufffd\u000e\ufffd\ufffd4$\u0001\ufffd[\u0017 bnV\u00104}1\ueb0c \ufffdx\ufffd\u06df\u000e1<\ufffd\ufffd\ufffd\u0011%\ufffd\t\u0016+!Wm)f\ufffd,:\ufffd\ufffd\u0013\ufffdx=\u001d\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0012\t\ufffd%:,\ufffdq \ufffd\ufffd3GAZ\u0014\u042c\ufffd@\ufffd\ufffd;\ufffd>\ufffd\ufffd\ufffd]",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r;R&#R\ufffd\ufffd)Gk\ufffd\u000e\ufffd\ufffd4$\u0001\ufffd[\u0017 bnV\u00104}1\ueb0c \ufffdx\ufffd\u06df\u000e1<\ufffd\ufffd\ufffd\u0011%\ufffd\t\u0016+!Wm)f\ufffd,:\ufffd\ufffd\u0013\ufffdx=\u001d\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cf4759c051cd17ff3d89259043e74d55f5fd1944",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r;R&#R\ufffd\ufffd)Gk\ufffd\u000e\ufffd\ufffd4$\u0001\ufffd[\u0017 bnV\u00104}1\ueb0c \ufffdx\ufffd\u06df\u000e1<\ufffd\ufffd\ufffd\u0011%\ufffd\t\u0016+!Wm)f\ufffd,:\ufffd\ufffd\u0013\ufffdx=\u001d\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8800,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\r;R&#R\ufffd\ufffd)Gk\ufffd\ufffd\ufffd4$\ufffd[ bnV4}1\ueb0c \ufffdx\ufffd\u06df1<\ufffd\ufffd\ufffd%\ufffd\t+!Wm)f\ufffd,:\ufffd\ufffd\ufffdx=&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)",
"target_port_label": "8800 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8800,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\r;R&#R\ufffd\ufffd)Gk\ufffd\u000e\ufffd\ufffd4$\u0001\ufffd[\u0017 bnV\u00104}1\ueb0c \ufffdx\ufffd\u06df\u000e1<\ufffd\ufffd\ufffd\u0011%\ufffd\t\u0016+!Wm)f\ufffd,:\ufffd\ufffd\u0013\ufffdx=\u001d\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8800,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\r;R&#R\ufffd\ufffd)Gk\ufffd\ufffd\ufffd4$\ufffd[ bnV4}1\ueb0c \ufffdx\ufffd\u06df1<\ufffd\ufffd\ufffd%\ufffd\t+!Wm)f\ufffd,:\ufffd\ufffd\ufffdx=&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8800 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8800"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
18/06/2026 13:53:27 UTC
TCP
8800 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8800 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 7c1e207beb00684b
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8800
Chemin / cible
—
Service
TLS
Payload
������������� �+/����y0&b���v&<l�<@AQ)�y�\ 8�g$�iVP.�G�}q�aI��k/�Z���#����&̨̩�/�0�+�,��� ��� �����/�5��� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������
�+/����y0&b���v&<l�<@AQ)�y�\ 8�g$�iVP.�G�}q�aI��k/�Z���#����&̨̩�/�0�+�,��� ���
�����/�5���
���������������
Requête brute (extrait)
������������� �+/����y0&b���v&<l�<@AQ)�y�\ 8�g$�iVP.�G�}q�aI��k/�Z���#����&̨̩�/�0�+�,��� ��� �����/�5��� �������������������� � ����������� ����� �������������������������������������� �h2�http/1.1�����+� ����������3�&�$��� lw���;� �Wp�«���B�(=s�����
Meta JSON brut
{
"tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"tls_alpn": [
"h2",
"http\/1.1"
],
"bytes_in": 261,
"payload_entropy": 5.8791459814490805,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 16509,
"country": "US",
"dst_port": 8800,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "19a05e91343d34e5dbb175b666e2d1ff588f8800",
"event_fingerprint": "71c2d8fe238490c5a995667b73e65ba510d55f99",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"payload_hash": "bc738cf5b738e237642382ec7d38343a",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8800,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\n\ufffd+\/\ufffd\u001a\ufffd\ufffdy0&b\ufffd\u0018\ufffdv&<l\ufffd<@AQ)\ufffdy\u0007\\ 8\ufffdg$\u001aiVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\n\ufffd+\/\ufffd\u001a\ufffd\ufffdy0&b\ufffd\u0018\ufffdv&<l\ufffd<@AQ)\ufffdy\u0007\\ 8\ufffdg$\u001aiVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 lw\ufffd\ufffd\ufffd;\ufffd\r\ufffdWp\ufffd\u00ab\u0012\ufffd\u0001B\ufffd(=s\u001f\ufffd\ufffd\ufffd\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\n\ufffd+\/\ufffd\u001a\ufffd\ufffdy0&b\ufffd\u0018\ufffdv&<l\ufffd<@AQ)\ufffdy\u0007\\ 8\ufffdg$\u001aiVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b0e055c41911f168ba25408d3614c481abbbbed7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\n\ufffd+\/\ufffd\u001a\ufffd\ufffdy0&b\ufffd\u0018\ufffdv&<l\ufffd<@AQ)\ufffdy\u0007\\ 8\ufffdg$\u001aiVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8800,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\n\ufffd+\/\ufffd\ufffd\ufffdy0&b\ufffd\ufffdv&<l\ufffd<@AQ)\ufffdy\\ 8\ufffdg$iVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)",
"target_port_label": "8800 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8800,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\n\ufffd+\/\ufffd\u001a\ufffd\ufffdy0&b\ufffd\u0018\ufffdv&<l\ufffd<@AQ)\ufffdy\u0007\\ 8\ufffdg$\u001aiVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5",
"port": 8800,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8800 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\n\ufffd+\/\ufffd\ufffd\ufffdy0&b\ufffd\ufffdv&<l\ufffd<@AQ)\ufffdy\\ 8\ufffdg$iVP.\ufffdG\ufffd}q\ufffdaI\ufffd\ufffdk\/\ufffdZ\ufffd\ufffd\ufffd#\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "8800 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8800"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
18/06/2026 13:51:10 UTC
TCP
8800 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8800 · (tentative d'exploit)
Élevée
Moyen · 53
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8800
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 53
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8800
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "7bcd279d4417b56f827a93b5d7ca5fded437b0c7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.279724709743229,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8800,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 53,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7a27eb74e2234f12ae8d79dbdb561a18de58e2d6",
"event_fingerprint": "4b43e467612f766d4443dfb353e6c20217c01499",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "10b0d8ab615ed12a17ea185651524102",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8800,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ee859fa007afc78d7cab768f0a279e5047b89521",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8800,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)",
"target_port_label": "8800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8800,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8800,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8800"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}
18/06/2026 13:50:16 UTC
TCP
8800 · HTTP
Tentative d'exploit
exploit attempt · via HTTP:8800 · (tentative d'exploit)
Élevée
Moyen · 53
Détails
Voir
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8800
Chemin / cible
/
Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 53
Confiance : Confiance 62 % — 3 tag(s) WAF
Signaux
MITRE-T1190
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8800
User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8800 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4",
"http_host_hash": "7bcd279d4417b56f827a93b5d7ca5fded437b0c7",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.279724709743229,
"port_category": "registered",
"org": "Amazon.com, Inc.",
"service": "http",
"app_proto": "http",
"asn": 16509,
"country": "US",
"dst_port": 8800,
"risk_waf": 72,
"risk_classification": 72,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 53,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7a27eb74e2234f12ae8d79dbdb561a18de58e2d6",
"event_fingerprint": "4b43e467612f766d4443dfb353e6c20217c01499",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 73,
"precision_signals": [
"MITRE-T1190"
],
"kb_rule_ids": [
"MITRE-T1190"
],
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 16509,
"org": "Amazon.com, Inc.",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cb226636f11f4f631f065fb419a8bab8",
"payload_hash": "10b0d8ab615ed12a17ea185651524102",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8800,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ee859fa007afc78d7cab768f0a279e5047b89521",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8800,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)",
"target_port_label": "8800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 72,
"classification": 72,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 53
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8800,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1190"
],
"tags_summary_labels_fr": [
"MITRE-T1190"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36",
"port": 8800,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "exploit attempt \u00b7 via HTTP:8800 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8800\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/",
"target_port_label": "8800 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8800"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true
}