|
|
TCP |
8015 · HTTP
|
http
|
http
http · via HTTP:8015 · (sonde / probe)
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET /
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8015
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 61%
Confiance classification
61%
Risque capteur
Faible
· 35
Confiance : Confiance 61 % — Score WAF 20 · 1 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8015
Accept: */*
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "dbbf72d8a10b0fde36c3fddd66a29360b9c4f477",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 54,
"payload_entropy": 4.499805326037222,
"port_category": "registered",
"org": "Chinanet",
"service": "http",
"app_proto": "http",
"asn": 4134,
"country": "CN",
"dst_port": 8015,
"risk_waf": 20,
"risk_classification": 8,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 20,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 35,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "bdb765b42a707f5c9bc6e7502773d8f6957096a3",
"event_fingerprint": "c4b97abd9d3f32224b03b268299bf2e3861a5de0",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 4134,
"org": "Chinanet",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "98e49d761d3e1e2b0e60bb6f697a8228",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"service_name": "http",
"target_context": {
"dst_port": 8015,
"service": "http",
"service_name": "http",
"risk_score": 35
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%"
},
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%",
"confidence_breakdown": {
"waf": 20,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"confidence": 0.61,
"classification_confidence": 0.61,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "358af33f9df4e1d2107a05b3d7cb5f135a95abdb",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 8015,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*",
"attack_vector": "http \u00b7 via HTTP:8015 \u00b7 (sonde \/ probe)",
"target_port_label": "8015 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 61,
"confidence_breakdown": {
"waf": 20,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8015,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 8015,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http \u00b7 via HTTP:8015 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8015\r\nAccept: *\/*",
"target_port_label": "8015 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
30009 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:30009 · (sonde / probe)
|
Moyenne
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 6639916abfac56b9
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
30009
Chemin / cible
—
Service
TLS
Payload
�����������1摷�?P���j��7���%I��U0�ɇ�V�.�� ���LQ���� :�/�gEݔԹ�.�c����W����+�/�,�0̨̩� ��� �����������E� ������������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������1摷�?P���j��7���%I��U0�ɇ�V�.�� ����LQ���� :�/�gEݔԹ�.�c����W����+�/�,�0̨̩� ���
�����������E�����������������
Requête brute (extrait)
�����������1摷�?P���j��7���%I��U0�ɇ�V�.�� ���LQ���� :�/�gEݔԹ�.�c����W����+�/�,�0̨̩� ��� �����������E� ��������������������������� � � ����������� �����������������������������+� ����������3����������I~#+��(C�����8�� <^xC��y�o�^B��h�M/�}��:�����a�
Meta JSON brut
{
"tls_ja3_hash": "6639916abfac56b9257ca216677085bc",
"tls_sni": null,
"bytes_in": 1457,
"payload_entropy": 7.7669425705414605,
"port_category": "registered",
"org": "Chinanet",
"service": "tls",
"app_proto": "tls",
"asn": 4134,
"country": "CN",
"dst_port": 30009,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1df1559da642f282659aaaf456b8676e827be985",
"event_fingerprint": "a9c365b8a69f4edd586683307a62fe0f4e35bdf2",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 4134,
"org": "Chinanet",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "6639916abfac56b9257ca216677085bc",
"payload_hash": "3c5816b83e42f641b198d9057cafa46f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 30009,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00031\u6477\ufffd?P\ufffd\ufffd\ufffdj\u001b\ufffd7\u0001\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\u000e\ufffd \f\ufffd\ufffd\u0002LQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00031\u6477\ufffd?P\ufffd\ufffd\ufffdj\u001b\ufffd7\u0001\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\u000e\ufffd \f\ufffd\ufffd\u0002LQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffdI~#+\ufffd\ufffd(C\ufffd\ufffd\ufffd\ufffd\u001a8\ufffd\u001d\f<^xC\ufffd\ufffdy\ufffdo\ufffd^B\u0019\ufffdh\ufffdM\/\ufffd}\ufffd\ufffd:\ufffd\ufffd\u0016\u001a\u0007a\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00031\u6477\ufffd?P\ufffd\ufffd\ufffdj\u001b\ufffd7\u0001\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\u000e\ufffd \f\ufffd\ufffd\u0002LQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e7816f2884b86caf07a79bdd4ab040677c97fef",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00031\u6477\ufffd?P\ufffd\ufffd\ufffdj\u001b\ufffd7\u0001\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\u000e\ufffd \f\ufffd\ufffd\u0002LQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"tls_ja3": "6639916abfac56b9257ca216677085bc",
"port": 30009,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd1\u6477\ufffd?P\ufffd\ufffd\ufffdj\ufffd7\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\ufffd \ufffd\ufffdLQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdE\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:30009 \u00b7 (sonde \/ probe)",
"target_port_label": "30009 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 30009,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u00031\u6477\ufffd?P\ufffd\ufffd\ufffdj\u001b\ufffd7\u0001\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\u000e\ufffd \f\ufffd\ufffd\u0002LQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000",
"tls_ja3": "6639916abfac56b9257ca216677085bc",
"port": 30009,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:30009 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd1\u6477\ufffd?P\ufffd\ufffd\ufffdj\ufffd7\ufffd\ufffd%I\ufffd\ufffdU0\ufffd\u0247\ufffdV\ufffd.\ufffd \ufffd\ufffdLQ\ufffd\ufffd\ufffd\ufffd\t:\ufffd\/\ufffdgE\u0754\u0539\ufffd.\ufffdc\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffdE\ufffd",
"target_port_label": "30009 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "30009"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni"
]
}
|