Renseignement sur les menaces

États-Unis

184.105.247.195

FAI Hurricane Electric LLC Première vue 02/01/2026 14:02 UTC Dernière vue 17/06/2026 02:06 UTC Risque Critique

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte · risque 35/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 02/01/2026 14:02 UTC

Dernière observation 17/06/2026 02:06 UTC

Événements (période) 83

MITRE ATT&CK principal TA0007 10 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 6939 · 184.104.0.0/15 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 83 événements sur la période pour cette IP.

65.49.1.38 Sonde PostgreSQL 17/06/2026 04:48 UTC
184.105.247.230 Sonde HTTP 17/06/2026 04:47 UTC
184.105.247.194 Tentative d'exploit 17/06/2026 04:47 UTC
65.49.20.75 Sonde HTTP 17/06/2026 04:47 UTC
65.49.20.67 Tentative d'exploit 17/06/2026 04:46 UTC
74.82.47.4 Sonde I2P 17/06/2026 04:45 UTC
64.62.156.221 Sonde HTTP 17/06/2026 04:44 UTC
64.62.156.212 Tentative d'exploit 17/06/2026 04:43 UTC

Événements (filtres)

Première observation

02/01/2026 14:02 UTC

Dernière observation

17/06/2026 02:06 UTC

Dernière activité (filtres)

17/06/2026 02:06 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 33 HTTP TCP 31 CPANEL SSL TCP 2 FTP TCP 1 SSH TCP 1 GLASSFISH ADMIN TCP 1 TOR OR TCP 1 HTTP ALT 8010 TCP 1 AMQP TCP 1 VNC TCP 1 HTTP ALT 8060 TCP 1 WINRM TCP 1 POSTGRES TCP 1

TLS

HTTP

CPANEL SSL

FTP

SSH

GLASSFISH ADMIN

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Hurricane Electric LLC 896 Port 8060 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

postgres probe · via HTTP ALT 8060:8060 · (sonde / probe)

Détails protocole

Empreinte JA3: cba7f34191ef2379c1325641
Empreinte JA4: a3a5f53d3656a0df675e8aa0

Aperçu payload

{wj��~��ѩ"��3$� A��<$��/�+�� /5� 4 �

Port / service

8060 · HTTP ALT 8060

Service émulé

HTTP-ALT-8060

Raison confiance

Confiance 49 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0369

Confiance

49% Confiance modérée — signal unique

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

83 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

83 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 02:06:40 UTC	TCP	8060 · HTTP ALT 8060	http-alt-8060	Sonde PostgreSQL postgres probe · via HTTP ALT 8060:8060 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur HTTP-ALT-8060 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8060 Chemin / cible — Service HTTP ALT 8060 Payload {wj��~��ѩ"��3$� A��<$��/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {wj��~��ѩ"��3$� A��<$��/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 128, "payload_entropy": 4.882787002933164, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http-alt-8060", "app_proto": "http-alt-8060", "asn": 6939, "country": "US", "dst_port": 8060, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "c5657d50162ced0a633bc84378aadefe48751ee2", "event_fingerprint": "9fa63a7d4d5c58347a0ca1e629c489216a9833f2", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8060", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "be093bda458728a6ba8c0a660e24d980", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8060, "service": "http-alt-8060", "service_name": "http-alt-8060", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003j\u000f\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\u0015\ufffd\ufffd3\u001c$\ufffd A\ufffd\ufffd\ufffd<\u0013$\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003j\u000f\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\u0015\ufffd\ufffd3\u001c$\ufffd A\ufffd\ufffd\ufffd<\u0013$\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003j\u000f\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\u0015\ufffd\ufffd3\u001c$\ufffd A\ufffd\ufffd\ufffd<\u0013$\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cf4f35a2859ce883fafabc8d38335dd0b47992ff", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003j\u000f\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\u0015\ufffd\ufffd3\u001c$\ufffd A\ufffd\ufffd\ufffd<\u0013$\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 8060, "service": "http-alt-8060", "service_label_fr": "HTTP ALT 8060" }, "evidence_snippet": "{wj\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\ufffd\ufffd3$\ufffd A\ufffd\ufffd\ufffd<$\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8060:8060 \u00b7 (sonde \/ probe)", "target_port_label": "8060 \u00b7 HTTP ALT 8060", "emulator_service": "http-alt-8060", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8060", "service_label_fr": "HTTP ALT 8060", "dst_port": 8060, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8060", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003j\u000f\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\u0015\ufffd\ufffd3\u001c$\ufffd A\ufffd\ufffd\ufffd<\u0013$\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 8060, "service": "http-alt-8060", "service_label_fr": "HTTP ALT 8060" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8060:8060 \u00b7 (sonde \/ probe)", "evidence_snippet": "{wj\ufffd\ufffd\ufffd\ufffd~\ufffd\ufffd\u0469\"\ufffd\ufffd\ufffd3$\ufffd A\ufffd\ufffd\ufffd<$\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "8060 \u00b7 HTTP ALT 8060", "emulator_service": "http-alt-8060", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8060", "service_banner": "honeypot-http-alt-8060", "service_os": "linux", "dst_port": "8060" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
17/06/2026 01:20:08 UTC	TCP	2083 · CPANEL SSL	cpanel-ssl	Sonde PostgreSQL postgres probe · via CPANEL SSL:2083 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur CPANEL-SSL WAF — Recommandation Surveiller Tags cpanel_ssl_emulated net_cpanel_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2083 Chemin / cible — Service CPANEL SSL Payload {w��p�Py�/AK3��%��ߗ��I3ڶ��7�/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w��p�Py�/AK3��%��ߗ��I3ڶ��7�/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 128, "payload_entropy": 4.830014444322512, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "cpanel-ssl", "app_proto": "cpanel-ssl", "asn": 6939, "country": "US", "dst_port": 2083, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4cc54c7fcd5f1e5ebb94393f5b67f30e90170090", "event_fingerprint": "80d2812b66b9080b0842670f25ce9d4d3386dae1", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "cpanel-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ea9698cd6b49679dd7c5e620710f63b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2083, "service": "cpanel-ssl", "service_name": "cpanel-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\u0013\ufffd\u0011%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\u0013\ufffd\u0011%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\u0013\ufffd\u0011%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e337c7ee7e1bd6430539507e69aaec61edf13d81", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\u0013\ufffd\u0011%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "evidence_snippet": "{w\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\ufffd%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "cpanel-ssl", "service_label_fr": "CPANEL SSL", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\u0013\ufffd\u0011%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "attack_vector": "postgres probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\ufffd\ufffdp\ufffdPy\ufffd\/AK3\ufffd\ufffd%\ufffd\ufffd\u07d7\ufffd\ufffd\ufffdI3\u06b6\ufffd\ufffd7\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_ssl", "service_banner": "honeypot-cpanel-ssl", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_ssl_emulated", "net_cpanel_probe", "tls_clienthello" ] }
16/06/2026 13:57:57 UTC	TCP	9001 · TOR OR	tor-or	tor exit probe tor exit probe · via TOR OR:9001 · (commande & contrôle)	Élevée	Moyen · 43
Étape Commande & contrôle Chaîne Commande & contrôle Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0011 TA0011 Protocole Émulateur TOR-OR WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_tor_probe tor_exit_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9001 Chemin / cible — Service TOR OR Payload GET / HTTP/1.1 Host: 62.3.50.33:9001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Pourquoi cette classification : Type « tor_exit_probe » (signaux protocolaires) · confiance 46% Confiance classification 46% Confiance modérée — signal unique Risque capteur Moyen · 43 Confiance : Confiance 46 % — 6 signal(aux) capteur Protocole émulé 1 Signaux Tor Exit Hint Technique MITRE TA0011 Tactiques MITRE TA0011 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9001 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000000000000000", "emulator_response_len": 9, "bytes_in": 202, "payload_entropy": 5.39411354281705, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "tor-or", "app_proto": "tor-or", "asn": 6939, "country": "US", "dst_port": 9001, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 43, "tag_count": 6, "anomaly_count": 0, "campaign_key": "d967b0275d13a566643f776c2f2ca13b50a86244", "event_fingerprint": "2bc74a66a243c40126697f519e65200a159d147e", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.46, "classification_confidence": 0.46, "precision_score": 55, "precision_signals": [ "INT-TOR-exit-hint" ], "kb_rule_ids": [ "INT-TOR-exit-hint" ], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "tor-or", "risk_confidence_factor": 46, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6c75d3aec91ebd1b2698850b4835f2b8", "path_pattern_hash": "d2d40d620e587c49ef0af866b893b1d5" }, "target_context": { "dst_port": 9001, "service": "tor-or", "service_name": "tor-or", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fc6a43a92b619c7426b65b543625a79a93c3d2c8", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "port": 9001, "service": "tor-or", "service_label_fr": "TOR OR" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande & contr\u00f4le)", "target_port_label": "9001 \u00b7 TOR OR", "emulator_service": "tor-or", "confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab tor_exit_probe \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0011 \u2014 confiance 46 % \u2014 via TOR OR", "confidence_pct": 46, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 43 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "command_and_control", "attack_chain_stage_label_fr": "Commande & contr\u00f4le", "risk_score": 43, "risk_label": "Moyen", "service_name": "tor-or", "service_label_fr": "TOR OR", "dst_port": 9001, "protocol_emulated": true, "tags_summary": [ "INT-TOR-exit-hint" ], "tags_summary_labels_fr": [ "Tor Exit Hint" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tor-or", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "port": 9001, "service": "tor-or", "service_label_fr": "TOR OR" }, "attack_vector": "tor exit probe \u00b7 via TOR OR:9001 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "9001 \u00b7 TOR OR", "emulator_service": "tor-or", "confidence_reason": "Confiance 46 % \u2014 6 signal(aux) capteur", "confidence_factors_fr": "Confiance 46 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "command_and_control", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tor_or", "service_banner": "honeypot-tor-or", "service_os": "linux", "dst_port": "9001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "command_and_control", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_tor_probe", "tor_exit_probe", "tor_or_emulated", "tor_or_payload" ] }
16/06/2026 07:37:17 UTC	TCP	5985 · WINRM	winrm	Sonde WinRM winrm probe · via WINRM:5985 · (sonde / probe)	Élevée	Faible · 31
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur WINRM WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_winrm_probe winrm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5985 Chemin / cible — Service WINRM Payload GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Pourquoi cette classification : Type « winrm_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 31 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e312034303120556e617574686f72697a65640d0a5757572d41757468656e7469636174653a204e65676f74696174650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a", "emulator_response_len": 77, "bytes_in": 202, "payload_entropy": 5.415097854487978, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "winrm", "app_proto": "winrm", "asn": 6939, "country": "US", "dst_port": 5985, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 46, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 25 }, "risk_score": 31, "tag_count": 5, "anomaly_count": 0, "campaign_key": "41fa5d82cf5e704b60baf3241e133cb99d9fe750", "event_fingerprint": "69c3741eda286def0bdd9c17863648ff58bc3b2f", "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 25, "risk_score": 31 }, "named_classification_skipped": false, "service_name": "winrm", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "244197015987202ab481937075f41687", "path_pattern_hash": "a98d2328dfdc853a4ac94ea7611b67e5" }, "target_context": { "dst_port": 5985, "service": "winrm", "service_name": "winrm", "risk_score": 31 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/109.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ffbeacae8c6b42e1cfc34593f9c2acd10f9e11f", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "port": 5985, "service": "winrm", "service_label_fr": "WINRM" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)", "target_port_label": "5985 \u00b7 WINRM", "emulator_service": "winrm", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab winrm_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 31\/100", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 46, "novelty": 25, "risk_score": 31 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 31, "risk_label": "Faible", "service_name": "winrm", "service_label_fr": "WINRM", "dst_port": 5985, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-winrm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "port": 5985, "service": "winrm", "service_label_fr": "WINRM" }, "attack_vector": "winrm probe \u00b7 via WINRM:5985 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "5985 \u00b7 WINRM", "emulator_service": "winrm", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "winrm", "service_banner": "honeypot-winrm", "service_os": "linux", "dst_port": "5985" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_winrm_probe", "winrm_emulated", "winrm_payload" ] }
16/06/2026 03:00:16 UTC	TCP	4848 · GLASSFISH ADMIN	glassfish-admin	Sonde PostgreSQL postgres probe · via GLASSFISH ADMIN:4848 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur GLASSFISH-ADMIN WAF — Recommandation Surveiller Tags glassfish_emulated net_glassfish_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4848 Chemin / cible — Service GLASSFISH ADMIN Payload {wٞUn��x'� j��F��C��GF^��Q��/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {wٞUn��x'� j��F��C��GF^��Q��/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 128, "payload_entropy": 4.817698887112719, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "glassfish-admin", "app_proto": "glassfish-admin", "asn": 6939, "country": "US", "dst_port": 4848, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a681bdab5e03e0b5e161a796cd1f67b37c52aabc", "event_fingerprint": "9eb4a5bed64f235435fc220a3c7d0cc6870acffc", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "glassfish-admin", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2570d01493546fc44bfe13b3f97646a7", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4848, "service": "glassfish-admin", "service_name": "glassfish-admin", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\u0011\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdG\u0001F^\ufffd\u0014\ufffdQ\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\u0011\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdG\u0001F^\ufffd\u0014\ufffdQ\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\u0011\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdG\u0001F^\ufffd\u0014\ufffdQ\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6fb99e08d88a19f7523276d8be1bc5256a3be24", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\u0011\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdG\u0001F^\ufffd\u0014\ufffdQ\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 4848, "service": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN" }, "evidence_snippet": "{w\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdGF^\ufffd\ufffdQ\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via GLASSFISH ADMIN:4848 \u00b7 (sonde \/ probe)", "target_port_label": "4848 \u00b7 GLASSFISH ADMIN", "emulator_service": "glassfish-admin", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN", "dst_port": 4848, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-glassfish-admin", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\u0011\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdG\u0001F^\ufffd\u0014\ufffdQ\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 4848, "service": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN" }, "attack_vector": "postgres probe \u00b7 via GLASSFISH ADMIN:4848 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\u065eUn\ufffd\ufffd\ufffd\ufffdx'\ufffd\nj\ufffd\ufffdF\ufffd\ufffdC\ufffd\ufffdGF^\ufffd\ufffdQ\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "4848 \u00b7 GLASSFISH ADMIN", "emulator_service": "glassfish-admin", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "glassfish_admin", "service_banner": "honeypot-glassfish-admin", "service_os": "linux", "dst_port": "4848" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "glassfish_emulated", "net_glassfish_probe", "tls_clienthello" ] }
16/06/2026 01:26:07 UTC	TCP	2083 · CPANEL SSL	cpanel-ssl	Sonde PostgreSQL postgres probe · via CPANEL SSL:2083 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur CPANEL-SSL WAF — Recommandation Surveiller Tags cpanel_ssl_emulated net_cpanel_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2083 Chemin / cible — Service CPANEL SSL Payload {w�0F��f!�ڹ8G�ù��3ĳ�g�Q��/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w�0F��f!�ڹ8G�ù��3ĳ�g�Q��/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 128, "payload_entropy": 4.857434561543816, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "cpanel-ssl", "app_proto": "cpanel-ssl", "asn": 6939, "country": "US", "dst_port": 2083, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "4cc54c7fcd5f1e5ebb94393f5b67f30e90170090", "event_fingerprint": "80d2812b66b9080b0842670f25ce9d4d3386dae1", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "cpanel-ssl", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1e77d2996777ef563834bec857eaed16", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2083, "service": "cpanel-ssl", "service_name": "cpanel-ssl", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffd\u0004g\ufffdQ\ufffd\u0012\ufffd\u0011\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffd\u0004g\ufffdQ\ufffd\u0012\ufffd\u0011\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffd\u0004g\ufffdQ\ufffd\u0012\ufffd\u0011\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7737cf402eff644471806e5c652ebb946e61652d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffd\u0004g\ufffdQ\ufffd\u0012\ufffd\u0011\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "evidence_snippet": "{w\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffdg\ufffdQ\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "cpanel-ssl", "service_label_fr": "CPANEL SSL", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-ssl", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffd\u0004g\ufffdQ\ufffd\u0012\ufffd\u0011\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "attack_vector": "postgres probe \u00b7 via CPANEL SSL:2083 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\ufffd0F\ufffd\ufffd\ufffdf!\ufffd\u06b98G\ufffd\u00f9\ufffd\ufffd\ufffd3\u0133\ufffdg\ufffdQ\ufffd\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_ssl", "service_banner": "honeypot-cpanel-ssl", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_ssl_emulated", "net_cpanel_probe", "tls_clienthello" ] }
15/06/2026 01:22:45 UTC	TCP	808 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:808 · (tentative d'exploit) · → www.shadowserver.org:443	Élevée	Moyen · 41
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole CONNECT www.shadowserver.org:443 UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_dangerous_method http_method_uncommon Cible HTTP CONNECT www.shadowserver.org:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 808 Chemin / cible www.shadowserver.org:443 Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 41 Confiance : Confiance 62 % — 2 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `CONNECT www.shadowserver.org:443 HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Connection: Keep-Alive Pragma: no-cache Proxy-Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "5186dac1dd506c3487aa39a6c8a4a57637399ef6", "http_host_hash": "6ae3ed4621d9c0dd8cee74f6b1c5b4073913b336", "http_target_hash": "6b8e04bac019a1bdc3bcbdaa5cdd24320a9a648d", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.408993570259432, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 808, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 41, "tag_count": 4, "anomaly_count": 0, "campaign_key": "251c350166c67c8f713bcd69ecf886044a0b3c82", "event_fingerprint": "e96971d34b4595ff497e3e18dfad1214436858d3", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 41 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "efff31ee849c981a7783b6add0cf22b7", "payload_hash": "aabdf92aa4de33ecfd336cfa20d3b1be", "path_pattern_hash": "a0d39411cb42eec21469d044e2155f68" }, "target_context": { "dst_port": 808, "service": "http", "service_name": "http", "risk_score": 41 }, "payload_preview": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nProxy-Connectio", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nProxy-Connectio", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f9027a79741da52cf349b24f999c37c86efdb18b", "protocol_details": { "http_method": "CONNECT", "http_path": "www.shadowserver.org:443", "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit) \u00b7 \u2192 www.shadowserver.org:443", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 41\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 41 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 41, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 808, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "CONNECT", "http_path": "www.shadowserver.org:443", "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit) \u00b7 \u2192 www.shadowserver.org:443", "evidence_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "808" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_dangerous_method", "http_method_uncommon" ] }
15/06/2026 01:22:43 UTC	TCP	808 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:808 · (tentative d'exploit)	Élevée	Moyen · 40
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path http_absolute_uri Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 808 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 29% Confiance classification 29% Confiance modérée — signal unique Risque capteur Moyen · 40 Confiance : Confiance 29 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET http://api.ipify.org/?format=json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple Requête brute (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Meta JSON brut { "http_header_count": 2, "http_query_params": 1, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "5186dac1dd506c3487aa39a6c8a4a57637399ef6", "http_host_hash": "d29a2ecf00a8df01957221d1f0dff7b5d932ee52", "http_target_hash": "c992eafe99bb93048b184fe302c46a2c7c06d83d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.432339101056475, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 808, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e4552a41a2e27801a04e3e418c5c726218871c9c", "event_fingerprint": "6da997f4e5265c8d3cb10b64e7e12dc3d996c5c9", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "confidence": 0.29, "classification_confidence": 0.29, "precision_score": 35, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 29, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "efff31ee849c981a7783b6add0cf22b7", "payload_hash": "1030f989cb9522423f292a24da3e4a68", "path_pattern_hash": "9e6886b350be931fd969e2abc3b79698" }, "target_context": { "dst_port": 808, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "evidence": { "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "093f6a4005e7e9caa4b0b4f6c5f9bb35ee132a18", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit)", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 29 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 40\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 29 % \u2014 via HTTP", "confidence_pct": 29, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 808, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 29 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 29 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "808" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_absolute_uri" ] }
15/06/2026 01:22:04 UTC	TCP	808 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:808 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 808 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 43 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:808 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, l Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:808 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "62ccd2a15dd05f306fc4db0130eee094d21d9527", "http_host_hash": "5ff341c6c9fd5ee9340b3a8d5d6696bdd61a3b19", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.421491178455289, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 808, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c3b62219943f90d28418a565d1abb5e4c1f44e2e", "event_fingerprint": "52e3c9ccd2494e74559049ebe4c06c78dc91411e", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a0925343a20453a4faddd2b11c69b3d7", "payload_hash": "e3b2b8a09e968edb436ba47cd26cbf8d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 808, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, l", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, l", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, l", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dc061d5b1ee9130c3f7a4d14b3e97cb9d30e1478", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, l", "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit)", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 808, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A", "port": 808, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:808 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:808\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, l", "target_port_label": "808 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "808" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
15/06/2026 00:59:19 UTC	TCP	8010 · HTTP ALT 8010	http-alt-8010	Sonde PostgreSQL postgres probe · via HTTP ALT 8010:8010 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur HTTP-ALT-8010 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8010 Chemin / cible — Service HTTP ALT 8010 Payload {w��\|�k�K�ӝ�/m�70zd�n@Rѷ��/�+�� /5� 4 � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w��\|�k�K�ӝ�/m�70zd�n@Rѷ��/�+�� /5� 4 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 128, "payload_entropy": 4.780551328502067, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http-alt-8010", "app_proto": "http-alt-8010", "asn": 6939, "country": "US", "dst_port": 8010, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "16de40252f09d4e165e9850fd86974e2649b2844", "event_fingerprint": "3c8bec9ff6243353dd9f4241f81b225f3feb7ea2", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8010", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f2e1ff63ef8e311dd44fd7d899f5ad84", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8010, "service": "http-alt-8010", "service_name": "http-alt-8010", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0001\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u0010\u04dd\ufffd\/m\ufffd7\u00040zd\ufffdn@\u0015R\u0477\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0001\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u0010\u04dd\ufffd\/m\ufffd7\u00040zd\ufffdn@\u0015R\u0477\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0001\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u0010\u04dd\ufffd\/m\ufffd7\u00040zd\ufffdn@\u0015R\u0477\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e3f925318b54b19133eb1ed95403d60272a6d19", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0001\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u0010\u04dd\ufffd\/m\ufffd7\u00040zd\ufffdn@\u0015R\u0477\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 8010, "service": "http-alt-8010", "service_label_fr": "HTTP ALT 8010" }, "evidence_snippet": "{w\ufffd\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u04dd\ufffd\/m\ufffd70zd\ufffdn@R\u0477\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8010:8010 \u00b7 (sonde \/ probe)", "target_port_label": "8010 \u00b7 HTTP ALT 8010", "emulator_service": "http-alt-8010", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8010", "service_label_fr": "HTTP ALT 8010", "dst_port": 8010, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8010", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\u0001\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u0010\u04dd\ufffd\/m\ufffd7\u00040zd\ufffdn@\u0015R\u0477\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 8010, "service": "http-alt-8010", "service_label_fr": "HTTP ALT 8010" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8010:8010 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\ufffd\ufffd\ufffd\|\ufffdk\ufffdK\ufffd\u04dd\ufffd\/m\ufffd70zd\ufffdn@R\u0477\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "8010 \u00b7 HTTP ALT 8010", "emulator_service": "http-alt-8010", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8010", "service_banner": "honeypot-http-alt-8010", "service_os": "linux", "dst_port": "8010" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ] }
08/06/2026 03:40:24 UTC	TCP	3128 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:3128 · (tentative d'exploit) · → www.shadowserver.org:443	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole CONNECT www.shadowserver.org:443 UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_dangerous_method http_method_uncommon Cible HTTP CONNECT www.shadowserver.org:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 3128 Chemin / cible www.shadowserver.org:443 Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 45 Confiance : Confiance 62 % — 2 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `CONNECT www.shadowserver.org:443 HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Connection: Keep-Alive Pra Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "716324c417916203c790f98e099ae6e192f53242", "http_host_hash": "6ae3ed4621d9c0dd8cee74f6b1c5b4073913b336", "http_target_hash": "6b8e04bac019a1bdc3bcbdaa5cdd24320a9a648d", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 303, "payload_entropy": 5.390945278628893, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 3128, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 45, "tag_count": 5, "anomaly_count": 0, "campaign_key": "27a86ce54c4f6c6a397a4411704d67d33bc05536", "event_fingerprint": "71f8fb0e20f6ae6349921424662f2b5e1af3d127", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1d6b36839b4adf1b86c5d9341d6b52e9", "payload_hash": "a4948ffa83fc8631716ae24d97e31df8", "path_pattern_hash": "a0d39411cb42eec21469d044e2155f68" }, "target_context": { "dst_port": 3128, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nConnection: Keep-Alive\r\nPra", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nConnection: Keep-Alive\r\nPra", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d972aa5967b5303b3d79df3010de74ab8eae4865", "protocol_details": { "http_method": "CONNECT", "http_path": "www.shadowserver.org:443", "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit) \u00b7 \u2192 www.shadowserver.org:443", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3128, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "CONNECT", "http_path": "www.shadowserver.org:443", "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit) \u00b7 \u2192 www.shadowserver.org:443", "evidence_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3128" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_dangerous_method", "http_method_uncommon", "net_web_probe" ] }
08/06/2026 03:40:15 UTC	TCP	3128 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:3128 · (tentative d'exploit)	Élevée	Moyen · 45
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path http_absolute_uri Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3128 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 29% Confiance classification 29% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 29 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET http://api.ipify.org/?format=json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple Requête brute (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 1, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "716324c417916203c790f98e099ae6e192f53242", "http_host_hash": "d29a2ecf00a8df01957221d1f0dff7b5d932ee52", "http_target_hash": "c992eafe99bb93048b184fe302c46a2c7c06d83d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.400622961003493, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 3128, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 45, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7d590a9f494a631bc96f351057bff942d6dcb26e", "event_fingerprint": "c29206d9b0a058f69acd8a10da1bf3d37554cd3b", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "confidence": 0.29, "classification_confidence": 0.29, "precision_score": 35, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 45 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 29, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1d6b36839b4adf1b86c5d9341d6b52e9", "payload_hash": "5edfba362270317f64a8f0ac4e7b3310", "path_pattern_hash": "9e6886b350be931fd969e2abc3b79698" }, "target_context": { "dst_port": 3128, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "evidence": { "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05dd303bb5393f880e8e8055bf346ff5a59e357b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit)", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 29 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 29%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 45\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 29 % \u2014 via HTTP", "confidence_pct": 29, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 45 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 45, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3128, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 29 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 29 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3128" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_absolute_uri", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 96 }
08/06/2026 03:40:02 UTC	TCP	3128 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:3128 · (sonde / probe) · → /favicon.ico	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET /favicon.ico UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3128 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Confiance : Confiance 50 % — Motif catalogue confirmé · 2 tag(s) WAF Protocole émulé 1 Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:3128 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTM Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:3128 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/23.7.0.2534 Yowser/2.5 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600", "emulator_response_len": 130, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "716324c417916203c790f98e099ae6e192f53242", "http_host_hash": "0004f205c8c9eec39df22e7d5c19060a1bc84a1b", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 246, "payload_entropy": 5.419499262443658, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 3128, "risk_waf": 60, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e49d945b3830fba172c47726df7e61fb743342eb", "event_fingerprint": "02bc564c938159860779bd41a0d67dfc0ad90d5e", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1d6b36839b4adf1b86c5d9341d6b52e9", "payload_hash": "d01322be0c720d21ba8cc22a58d3e1b8", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 3128, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534 Yowser\/2.5 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a7d8d8bebefbd4269b58869813a42c8436bd56a3", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "attack_vector": "Sonde HTTP \u00b7 via HTTP:3128 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "classification_reason_label_fr": "Sonde HTTP (tag rce-0) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 60, "classification": 42, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3128, "protocol_emulated": true, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 YaBrowser\/23.7.0.2534\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:3128 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTM", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9 \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3128" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
08/06/2026 03:39:40 UTC	TCP	3128 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:3128 · (tentative d'exploit)	Élevée	Moyen · 48
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3128 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 48 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3128 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3128 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 OPR/108.0.0.0 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "fb99546d153e45c3c498353b7103de2866a4cc10", "http_host_hash": "0004f205c8c9eec39df22e7d5c19060a1bc84a1b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.409143360339413, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 3128, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 48, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fd26819072250dcb8b4055072de225d2cf030e2f", "event_fingerprint": "b44d6a5705c872a60d428b36f768df94eca10fde", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dd169ad94998d35e3c6ff3cc9ced8a16", "payload_hash": "8a93d4e9ccd84797b9d15b7b6f45e21d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3128, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108.0.0.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108.0.0.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108.0.0.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5977c2e91f86680861ccce0698b7918ed4389416", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit)", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 48, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 3128, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/122.0.0.0 Safari\/537.36 OPR\/108\u2026", "port": 3128, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:3128 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3128\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "3128 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "3128" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
08/06/2026 01:11:55 UTC	TCP	444 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:444 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 444 Chemin / cible — Service TLS Payload ��Oa�k�'N�wH�9Rm��I��9#QW s�� i��K��F�p�SC��ܾ&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Oa�k�'N�wH�9Rm��I��9#QW s��i��K��F�p�SC��ܾ&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��Oa�k�'N�wH�9Rm��I��9#QW s�� i��K��F�p�SC��ܾ&̨̩�/�0�+�,�� /5� { �+ 3&$ ?V��f�L>񀢠@�T�!I��n��4 Meta JSON brut { "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.893881048680874, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "tls", "app_proto": "tls", "asn": 6939, "country": "US", "dst_port": 444, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9bff362b5e4b1fc54e3e921cb3112e46219b6d26", "event_fingerprint": "70b05747c4e545e62e214ddf8300170578c21fcb", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "payload_hash": "4884f0eb8b0e51901bc5c8fe04ae1033", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 444, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001aOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\u0004\ufffd\u001a\ufffd\ufffd\ufffd9#QW \u0012s\ufffd\ufffd\ufffd\u0001\ufffd\u001f\ufffd\u0003\ufffd\ufffd\u000bi\ufffd\ufffdK\ufffd\ufffd\u000eF\ufffd\u0001p\ufffdSC\ufffd\ufffd\u073e\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001aOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\u0004\ufffd\u001a\ufffd\ufffd\ufffd9#QW \u0012s\ufffd\ufffd\ufffd\u0001\ufffd\u001f\ufffd\u0003\ufffd\ufffd\u000bi\ufffd\ufffdK\ufffd\ufffd\u000eF\ufffd\u0001p\ufffdSC\ufffd\ufffd\u073e\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 ?V\ufffd\ufffdf\ufffdL>\u001c\ud8c2\udca0@\ufffdT\ufffd!I\ufffd\ufffd\u0010n\u0006\u001e\ufffd\ufffd\ufffd\ufffd\ufffd4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001aOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\u0004\ufffd\u001a\ufffd\ufffd\ufffd9#QW \u0012s\ufffd\ufffd\ufffd\u0001\ufffd\u001f\ufffd\u0003\ufffd\ufffd\u000bi\ufffd\ufffdK\ufffd\ufffd\u000eF\ufffd\u0001p\ufffdSC\ufffd\ufffd\u073e\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55c7ce0bdf7ab4f97e1bb8c21a0c1e7de99d58f7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001aOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\u0004\ufffd\u001a\ufffd\ufffd\ufffd9#QW \u0012s\ufffd\ufffd\ufffd\u0001\ufffd\u001f\ufffd\u0003\ufffd\ufffd\u000bi\ufffd\ufffdK\ufffd\ufffd\u000eF\ufffd\u0001p\ufffdSC\ufffd\ufffd\u073e\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 444, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9#QW s\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffdK\ufffd\ufffdF\ufffdp\ufffdSC\ufffd\ufffd\u073e&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)", "target_port_label": "444 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 444, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u001aOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\u0004\ufffd\u001a\ufffd\ufffd\ufffd9#QW \u0012s\ufffd\ufffd\ufffd\u0001\ufffd\u001f\ufffd\u0003\ufffd\ufffd\u000bi\ufffd\ufffdK\ufffd\ufffd\u000eF\ufffd\u0001p\ufffdSC\ufffd\ufffd\u073e\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 444, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdOa\ufffdk\ufffd'N\ufffdwH\ufffd9Rm\ufffd\ufffdI\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9#QW s\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdi\ufffd\ufffdK\ufffd\ufffdF\ufffdp\ufffdSC\ufffd\ufffd\u073e&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "444 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "444" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "behavior_alert_count": 1, "behavior_priority": 72 }
08/06/2026 01:11:45 UTC	TCP	444 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:444 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 cba7f34191ef2379 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 444 Chemin / cible — Service TLS Payload {w�Pj�)"P<\OR��%f��2n~^R�R�+��/�+�� /5� 4 � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w�Pj�)"P<\OR��%f��2n~^R�R�+��/�+�� /5� 4 � Meta JSON brut { "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 6, "bytes_in": 128, "payload_entropy": 4.757006803947931, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "tls", "app_proto": "tls", "asn": 6939, "country": "US", "dst_port": 444, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9bff362b5e4b1fc54e3e921cb3112e46219b6d26", "event_fingerprint": "8b40a48bc548893c3713866ab0b49b15cee7f8a7", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "payload_hash": "ca2eef3dde1c59aa841b8886ac846b89", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "a3a5f53d3656a0df675e8aa020d5979e", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 13, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 444, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0003\ufffdPj\ufffd)\"P<\\\u001aOR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^\u0006R\ufffdR\ufffd+\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0003\ufffdPj\ufffd)\"P<\\\u001aOR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^\u0006R\ufffdR\ufffd+\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0003\ufffdPj\ufffd)\"P<\\\u001aOR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^\u0006R\ufffdR\ufffd+\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b0ba06cb2f38508048617f52997dc1af9436c22", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0003\ufffdPj\ufffd)\"P<\\\u001aOR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^\u0006R\ufffdR\ufffd+\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 444, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "{w\ufffdPj\ufffd)\"P<\\OR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^R\ufffdR\ufffd+\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)", "target_port_label": "444 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 444, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\u0003\ufffdPj\ufffd)\"P<\\\u001aOR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^\u0006R\ufffdR\ufffd+\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "tls_ja3": "cba7f34191ef2379c1325641f6c6c4f4", "tls_ja4": "a3a5f53d3656a0df675e8aa020d5979e", "port": 444, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:444 \u00b7 (sonde \/ probe)", "evidence_snippet": "{w\ufffdPj\ufffd)\"P<\\OR\ufffd\ufffd\ufffd%f\ufffd\ufffd2n~^R\ufffdR\ufffd+\ufffd\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n4\n\r\ufffd", "target_port_label": "444 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "444" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
07/06/2026 13:16:06 UTC	TCP	2101 · HTTP	http	Sonde HTTP	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2101 Chemin / cible / Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 34% Confiance classification 34% Confiance modérée — signal unique Risque capteur Faible · 38 Signaux Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent NTRIP Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 User-Agent: NTRIP Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0bae62ac14bbe59ee26262f16729028baddf0654", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 73, "payload_entropy": 4.714170114867805, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 2101, "risk_waf": 20, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "aa8d6972bd0b406f2c29e798d5b4196274e37325", "event_fingerprint": "55d938b1377cbc0df3239afdabb39b3f6f262b5f", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 38 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "604295db1e2a9963906c06cd07756d0b", "payload_hash": "2c4dbfb8ceed3a2789cbcc08985d00ef", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2101, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: NTRIP\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "NTRIP", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: NTRIP\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: NTRIP\r\nAccept: \/\r\nAccept-Encoding: gzip", "evidence": { "method": "GET", "path": "\/", "user_agent": "NTRIP", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: NTRIP\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: NTRIP\r\nAccept: \/\r\nAccept-Encoding: gzip", "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "405541bf43c6bb510245f8735fa4cc8677924852", "site_display": { "classification": null, "classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%", "classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%", "confidence_pct": 34, "confidence_breakdown": { "waf": 20, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2101, "protocol_emulated": null, "tags_summary": [ "INT-single-port" ], "tags_summary_labels_fr": [ "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2101" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_missing_host" ] }
07/06/2026 04:47:40 UTC	TCP	8530 · HTTP	http	Tentative d'exploit	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP HEAD /selfupdate/wuident.cab TLS SNI — Capteur paris-1
Preuve / Evidence Méthode HEAD Port 8530 Chemin / cible /selfupdate/wuident.cab Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `HEAD /selfupdate/wuident.cab HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Règles WAF rce-0 nosqli-3 Payload (extrait) HEAD /selfupdate/wuident.cab HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/201001 Requête brute (extrait) HEAD /selfupdate/wuident.cab HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "cab", "http_ua_hash": "6befef60a2383c468a0dc43eb9fa222cafd7a552", "http_host_hash": "e9dd49087659f7e6993ea9e8d2ec3c8069a34c38", "http_target_hash": "c884719fb6cd5abd125363450bffbb8e666e4b08", "http_referer_hash": null, "http_method": "HEAD", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 161, "payload_entropy": 5.341717535201049, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 8530, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b409a5591dae735cccd4d32840d2cabe220ceea0", "event_fingerprint": "0e2f62f25ceb6d715d2a8fede2d3425d9193caaa", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e240edd2834ba03478a6e5f464f91aab", "payload_hash": "359a9623eb22771ed96e20903473b12c", "path_pattern_hash": "2554a2eb643a4eb356521c96692ffd82" }, "target_context": { "dst_port": 8530, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/201001", "method": "HEAD", "path": "\/selfupdate\/wuident.cab", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1", "request_sample": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\n\r\n", "payload_snippet": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/201001", "evidence": { "method": "HEAD", "path": "\/selfupdate\/wuident.cab", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1", "request_sample": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\n\r\n", "payload_snippet": "HEAD \/selfupdate\/wuident.cab HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/201001", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5bb1255c7aa3b4818f0c9fed75a54542ae375187", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8530" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
07/06/2026 04:47:17 UTC	TCP	8530 · HTTP	http	Tentative d'exploit	Élevée	Moyen · 48
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Surveiller Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /ClientWebService/Client.asmx TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8530 Chemin / cible /ClientWebService/Client.asmx Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /ClientWebService/Client.asmx?wsdl HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /ClientWebService/Client.asmx?wsdl HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Ge Requête brute (extrait) GET /ClientWebService/Client.asmx?wsdl HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 1, "http_path_depth": 2, "http_path_ext": "asmx", "http_ua_hash": "6befef60a2383c468a0dc43eb9fa222cafd7a552", "http_host_hash": "e9dd49087659f7e6993ea9e8d2ec3c8069a34c38", "http_target_hash": "dcf09aaa1bbf2c3c452c26cc320522c0c9433a06", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 194, "payload_entropy": 5.416988691495965, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 8530, "risk_waf": 84, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 48, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b409a5591dae735cccd4d32840d2cabe220ceea0", "event_fingerprint": "e84c4d98d5aac324e4afbececfd32b814cff0d96", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 84, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 48 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e240edd2834ba03478a6e5f464f91aab", "payload_hash": "1aa910f1436abf421f32acdc6d221a04", "path_pattern_hash": "8cbf255964d0000c040337a66d8630e9" }, "target_context": { "dst_port": 8530, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Ge", "method": "GET", "path": "\/ClientWebService\/Client.asmx", "query_string": "wsdl", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1", "request_sample": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Ge", "evidence": { "method": "GET", "path": "\/ClientWebService\/Client.asmx", "query_string": "wsdl", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1", "request_sample": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ClientWebService\/Client.asmx?wsdl HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Ge", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a36956522530bffa0b9e37518ed6d919521ab79e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8530" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ] }
07/06/2026 04:46:15 UTC	TCP	8530 · HTTP	http	Tentative d'exploit	Élevée	Moyen · 44
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8530 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accep Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6befef60a2383c468a0dc43eb9fa222cafd7a552", "http_host_hash": "e9dd49087659f7e6993ea9e8d2ec3c8069a34c38", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 161, "payload_entropy": 5.276248536603278, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 8530, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f7e64a28974a08516bfeb7c612ab13c614e06be2", "event_fingerprint": "ccee1453018b10e3cfd44e6696ad33a7a4835d4d", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e240edd2834ba03478a6e5f464f91aab", "payload_hash": "93258a14b61d9a3768799e8b5dd53437", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8530, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccep", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccep", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8530\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:142.0) Gecko\/20100101 Firefox\/142.0\r\nAccep", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17f5530089140b11ca22bc29b58f4bb2657a2ea4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8530" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
07/06/2026 02:20:54 UTC	TCP	8531 · TLS	tls	Sonde PostgreSQL	Élevée	Faible · 35
Étape Sonde / probe Corrélations Scan coordonné MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8531 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 59% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {wv�� Ї˖��"��6��"��c�� /�+�� /5� 4 � Meta JSON brut { "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 6, "bytes_in": 128, "payload_entropy": 4.785207120154468, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "tls", "app_proto": "tls", "asn": 6939, "country": "US", "dst_port": 8531, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66fa9b3a8209916c8dd0ae0b7e9df3a8210ba4db", "event_fingerprint": "91dcaa7974b5467f9f5c469e879963e0ae9d8152", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "payload_hash": "b58d3eadcd193dd10eb830bf634002b6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "a3a5f53d3656a0df675e8aa020d5979e" }, "target_context": { "dst_port": 8531, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003v\ufffd\ufffd\n\u0407\u02d6\u0019\ufffd\ufffd\ufffd\"\ufffd\u001e\ufffd6\ufffd\ufffd\ufffd\"\u0002\ufffd\ufffd\ufffdc\ufffd\u000e\ufffd\ufffd\ufffd\r\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003v\ufffd\ufffd\n\u0407\u02d6\u0019\ufffd\ufffd\ufffd\"\ufffd\u001e\ufffd6\ufffd\ufffd\ufffd\"\u0002\ufffd\ufffd\ufffdc\ufffd\u000e\ufffd\ufffd\ufffd\r\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003v\ufffd\ufffd\n\u0407\u02d6\u0019\ufffd\ufffd\ufffd\"\ufffd\u001e\ufffd6\ufffd\ufffd\ufffd\"\u0002\ufffd\ufffd\ufffdc\ufffd\u000e\ufffd\ufffd\ufffd\r\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003v\ufffd\ufffd\n\u0407\u02d6\u0019\ufffd\ufffd\ufffd\"\ufffd\u001e\ufffd6\ufffd\ufffd\ufffd\"\u0002\ufffd\ufffd\ufffdc\ufffd\u000e\ufffd\ufffd\ufffd\r\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003v\ufffd\ufffd\n\u0407\u02d6\u0019\ufffd\ufffd\ufffd\"\ufffd\u001e\ufffd6\ufffd\ufffd\ufffd\"\u0002\ufffd\ufffd\ufffdc\ufffd\u000e\ufffd\ufffd\ufffd\r\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7bf45b4b954a3af1d64db0d5720d7f8e8aaccebf", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8531" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "184.105.247.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "probe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
07/06/2026 02:20:35 UTC	TCP	8531 · TLS	tls	Sonde PostgreSQL	Élevée	Faible · 35
Étape Sonde / probe Corrélations Scan coordonné MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8531 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 59% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w�/$�~��'q�0od3$�� x Ϩ��/�+�� /5� 4 � Meta JSON brut { "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 6, "bytes_in": 128, "payload_entropy": 4.7836467221840016, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "tls", "app_proto": "tls", "asn": 6939, "country": "US", "dst_port": 8531, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66fa9b3a8209916c8dd0ae0b7e9df3a8210ba4db", "event_fingerprint": "91dcaa7974b5467f9f5c469e879963e0ae9d8152", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "payload_hash": "a9be9da4c5dfef31f115145e880446bb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "a3a5f53d3656a0df675e8aa020d5979e" }, "target_context": { "dst_port": 8531, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\/$\ufffd~\u0004\ufffd\ufffd'q\u000f\ufffd0od3$\b\ufffd\ufffd\t\ufffd\ufffdx\r\u03e8\u001d\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\/$\ufffd~\u0004\ufffd\ufffd'q\u000f\ufffd0od3$\b\ufffd\ufffd\t\ufffd\ufffdx\r\u03e8\u001d\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\/$\ufffd~\u0004\ufffd\ufffd'q\u000f\ufffd0od3$\b\ufffd\ufffd\t\ufffd\ufffdx\r\u03e8\u001d\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\/$\ufffd~\u0004\ufffd\ufffd'q\u000f\ufffd0od3$\b\ufffd\ufffd\t\ufffd\ufffdx\r\u03e8\u001d\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\/$\ufffd~\u0004\ufffd\ufffd'q\u000f\ufffd0od3$\b\ufffd\ufffd\t\ufffd\ufffdx\r\u03e8\u001d\ufffd\ufffd\ufffd\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aab8b617bbbac83f14934286c8d50d29e6b40cd4", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8531" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "184.105.247.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "probe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
07/06/2026 02:19:16 UTC	TCP	8531 · TLS	tls	Sonde PostgreSQL	Élevée	Faible · 35
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8531 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) {w��腲x�� ՘-��+�/�1ā�\|5(� �/�+�� /5� 4 � Meta JSON brut { "tls_ja3_hash": "cba7f34191ef2379c1325641f6c6c4f4", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 6, "bytes_in": 128, "payload_entropy": 4.787476604962698, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "tls", "app_proto": "tls", "asn": 6939, "country": "US", "dst_port": 8531, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "66fa9b3a8209916c8dd0ae0b7e9df3a8210ba4db", "event_fingerprint": "91dcaa7974b5467f9f5c469e879963e0ae9d8152", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "cba7f34191ef2379c1325641f6c6c4f4", "payload_hash": "ba230bb396c2cad765f884570be77f1f", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "a3a5f53d3656a0df675e8aa020d5979e" }, "target_context": { "dst_port": 8531, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\u8172x\ufffd\ufffd\t\ufffd\u0558-\ufffd\ufffd\ufffd+\ufffd\u0018\/\ufffd1\u0101\ufffd\|5(\ufffd\t\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\u8172x\ufffd\ufffd\t\ufffd\u0558-\ufffd\ufffd\ufffd+\ufffd\u0018\/\ufffd1\u0101\ufffd\|5(\ufffd\t\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\u8172x\ufffd\ufffd\t\ufffd\u0558-\ufffd\ufffd\ufffd+\ufffd\u0018\/\ufffd1\u0101\ufffd\|5(\ufffd\t\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\u8172x\ufffd\ufffd\t\ufffd\u0558-\ufffd\ufffd\ufffd+\ufffd\u0018\/\ufffd1\u0101\ufffd\|5(\ufffd\t\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000{\u0001\u0000\u0000w\u0003\u0003\ufffd\ufffd\ufffd\u8172x\ufffd\ufffd\t\ufffd\u0558-\ufffd\ufffd\ufffd+\ufffd\u0018\/\ufffd1\u0101\ufffd\|5(\ufffd\t\u0000\u0000\u001a\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\u0001\u0000\u00004\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e7da4bac0ae337e734f16fd772ef6705c127775f", "tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10,5-10-11-13-65281,23-24-25,0", "tls_ja4_hash": "a3a5f53d3656a0df675e8aa020d5979e", "tls_ja4": "t13d0113_ad3470b4f447_40d2e578a3e2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8531" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
05/06/2026 10:56:35 UTC	TCP	81	http	Tentative d'exploit	Élevée	Moyen · 43
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 http_dangerous_method http_method_uncommon Cible HTTP CONNECT www.shadowserver.org:443 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode CONNECT Port 81 Chemin / cible www.shadowserver.org:443 Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `CONNECT www.shadowserver.org:443 HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) App Requête brute (extrait) CONNECT www.shadowserver.org:443 HTTP/1.1 Host: www.shadowserver.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Connection: Keep-Alive Pragma: no-cache Proxy-Connectio Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "5186dac1dd506c3487aa39a6c8a4a57637399ef6", "http_host_hash": "6ae3ed4621d9c0dd8cee74f6b1c5b4073913b336", "http_target_hash": "6b8e04bac019a1bdc3bcbdaa5cdd24320a9a648d", "http_referer_hash": null, "http_method": "CONNECT", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.408993570259432, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 81, "risk_waf": 60, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 60, "classification": 72, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 0, "campaign_key": "39d5c7a66ecbe92065e4bf265cf3db12502075a8", "event_fingerprint": "e325ad123984696a35589d8900e8bce207826272", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "efff31ee849c981a7783b6add0cf22b7", "payload_hash": "aabdf92aa4de33ecfd336cfa20d3b1be", "path_pattern_hash": "a0d39411cb42eec21469d044e2155f68" }, "target_context": { "dst_port": 81, "service": "http" }, "payload_preview": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nProxy-Connectio", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "evidence": { "method": "CONNECT", "path": "www.shadowserver.org:443", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "CONNECT www.shadowserver.org:443 HTTP\/1.1", "request_sample": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nProxy-Connectio", "payload_snippet": "CONNECT www.shadowserver.org:443 HTTP\/1.1\r\nHost: www.shadowserver.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) App", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f505550c78ad6aeadfeed3f5bcbad7479ee92203", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "http_dangerous_method", "http_method_uncommon" ], "behavior_alert_count": 1, "behavior_priority": 96 }
05/06/2026 10:56:29 UTC	TCP	81	http	Sonde HTTP	Élevée	Faible · 39
Étape Sonde / probe MITRE TA0007 TA0001 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path http_absolute_uri Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Pourquoi cette classification : Sonde HTTP (tag rce-0) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET http://api.ipify.org/?format=json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Apple Requête brute (extrait) GET http://api.ipify.org/?format=json HTTP/1.1 Host: api.ipify.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 Meta JSON brut { "http_header_count": 2, "http_query_params": 1, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "5186dac1dd506c3487aa39a6c8a4a57637399ef6", "http_host_hash": "d29a2ecf00a8df01957221d1f0dff7b5d932ee52", "http_target_hash": "c992eafe99bb93048b184fe302c46a2c7c06d83d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.432339101056475, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 81, "risk_waf": 72, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 48, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 39, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4d4db57eb16fb0d21eecb9f6199a74aecb5dbb82", "event_fingerprint": "a6c47c3004a8dfaa78cdbb46eaeca4733e2bc663", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "efff31ee849c981a7783b6add0cf22b7", "payload_hash": "1030f989cb9522423f292a24da3e4a68", "path_pattern_hash": "9e6886b350be931fd969e2abc3b79698" }, "target_context": { "dst_port": 81, "service": "http" }, "payload_preview": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "evidence": { "method": "GET", "path": "\/", "query_string": "format=json", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1", "request_sample": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.84 Safari\/537.36\r\n\r\n", "payload_snippet": "GET http:\/\/api.ipify.org\/?format=json HTTP\/1.1\r\nHost: api.ipify.org\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Apple", "classification_reason": "Sonde HTTP (tag rce-0) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d43cb68149f2e2fd49a134aac1edeae256af01cb", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_absolute_uri" ] }
05/06/2026 10:54:56 UTC	TCP	81	http	Tentative d'exploit	Élevée	Moyen · 46
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "940ef98c80932a8517b4241839e8e9d3b1f40c6b", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.433418525901138, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 81, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "03a690d60596d39f0632dad68ca29347a0b65b81", "event_fingerprint": "ea594d22610095fdc4d5a1f374bfd407e5255a96", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac8f5c88a83e672485247380c0afada5", "payload_hash": "d3b02b49e41ef34828835a3cd7bd0205", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/1", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/1", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/1", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1e4a9a67ad49258a1efecdc9217b8e97f015ac1", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
04/06/2026 15:17:26 UTC	TCP	21	ftp	Sonde FTP	Élevée	Faible · 13
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
04/06/2026 08:38:18 UTC	TCP	8880	http	web attack	Élevée	Moyen · 47
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible / Confiance classification 89% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0.0; Win64; x64; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.156 Not(A:Brand/24 YaBrowser/24.4.1.899 Yowser/2.5 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0.0; Win64; x64; ) AppleWebKit/537.36 (KHTML, like Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c5f2247a66bd146d7a3c8a5b66f02126669f9be8", "http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.4543459245940635, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 8880, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e7eb56cd0ccee6035fab80aaeca04c7a8880029e", "event_fingerprint": "9c43302bad8d79f2a58d5038033b2ff224a2b508", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63b67b41e7ebd7450c833e3946ae719b", "payload_hash": "418bb1b3b649fdb0c929f6ebf225ce3c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8880, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.89, "classification_confidence": 0.89, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0.0; Win64; x64; ) AppleWebKit\/537.36 (KHTML, like", "event_signature": "bdd52b66bb866e6a75e3f385ba14b86987593a10", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
04/06/2026 04:21:44 UTC	TCP	1000	http	web attack	Élevée	Moyen · 46
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1000 Chemin / cible / Confiance classification 89% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1b55bb2b2c31a214be7c6f16fefa5e6629cee38b", "http_host_hash": "f258a94e90e1893d77a4333d1c37930c29020403", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.296580944027448, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "dst_port": 1000, "risk_waf": 72, "risk_classification": 80, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 72, "classification": 80, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d3781e0bbb7b3eaae9d315ddc3d54861b06e4ffb", "event_fingerprint": "9781a8e1f03c20706a3c9dc8a1e2e6145feea827", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 6939, "org": "Hurricane Electric LLC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "13fd361c984c8bedd01d045cc371ca74", "payload_hash": "b1e1fcea0f12da91576a0361cb16366e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1000, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.89, "classification_confidence": 0.89, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, ", "event_signature": "4d4ccbaae11b0b55fbe575731990530cb0e4cc66", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
04/06/2026 02:07:55 UTC	TCP	7000	—	Sonde port	Faible	Faible · 14
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 12:34:34 UTC	TCP	5432	postgres	postgres attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 06:34:20 UTC	TCP	5081	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 06:34:14 UTC	TCP	5081	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 06:06:02 UTC	TCP	20020	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 20020 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "803bc2bca1669a5180ebd764449026907ba3c1d9", "http_host_hash": "7c910635ebdd2ec7a02b91e4a18506786608faa0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 193, "payload_entropy": 5.427703935492988, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "6c733cdc76068babe944cdaa0041b8f7ac86f8b5", "event_fingerprint": "7f506b7e79e18b41f6b7751259206c3b928342a9", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 01:35:07 UTC	TCP	22	ssh	ssh attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 14:45:01 UTC	TCP	6001	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 14:23:15 UTC	TCP	5900	vnc	vnc attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 11:25:02 UTC	TCP	8060	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8060 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "06c6936bd2e49babc5d8cff65b916d05fe9bff95", "http_host_hash": "659aba210ed45d12732dc398ec420869b9d4d3d3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 171, "payload_entropy": 5.215982902276219, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "40f8eae1b445cdb4a80ebb40d215798791b6e7d5", "event_fingerprint": "7da49a81a68aba93eb39f88e14f73ed92b3f3fc9", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
30/05/2026 14:17:03 UTC	TCP	1801	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 09:05:02 UTC	TCP	9643	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9643 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "724d5a8254fa9d7e73475232630fca53bdbd0f90", "http_host_hash": "cb1afac92f3620b49934d6e5ac11caee8c12ebf3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.359369546649175, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "366915b90f9520f9cdb6c4fa616f52a6846719c4", "event_fingerprint": "6e0ee1b8626e7b8c925a42af4ffc61da1ffb41b2", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
29/05/2026 08:49:48 UTC	TCP	9999	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9999 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "18944bf9c08954c4ab2443438e9bd9a12eea6679", "http_host_hash": "83a22baaf629d53e39c79d30e6b18dca9da1a92c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.414049510933064, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "c992bf4a8142641692d5115f793db7285de35d61", "event_fingerprint": "5823f7ce3e55ab30127f12cd1e8a81fbeb0285d8", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
28/05/2026 11:35:53 UTC	TCP	4646	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 4646 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8ce2ac0889d881e6b69dfc50d026374b84fe6254", "http_host_hash": "46a9b2ce10e9d611ee86e145e07ad2eb86ad6ce6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 208, "payload_entropy": 5.3374697554859845, "port_category": "registered", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "279482ce20f6824739f6b910de27566a2ce129e7", "event_fingerprint": "3871cb319ce7317be83387db082a249c91011d37", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
28/05/2026 06:00:18 UTC	TCP	2096	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 05:59:37 UTC	TCP	2096	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 14:49:59 UTC	TCP	5672	amqp	amqp probe	Élevée	Moyen · 50
Étape — WAF — Recommandation — Tags amqp_handshake Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 06:40:23 UTC	TCP	1003	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
27/05/2026 05:43:35 UTC	TCP	81	http	web attack	Élevée	Critique · 100
Étape — WAF 16 Recommandation — Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3 Règles WAF 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "224532780fe2e707ad4c403542e7306b48753b17", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.393639367241509, "port_category": "well_known", "org": "Hurricane Electric LLC", "service": "http", "app_proto": "http", "asn": 6939, "country": "US", "tag_count": 3, "anomaly_count": 0, "risk_score": 100, "campaign_key": "d75923a08043500eae66386b467275bec1ed7723", "event_fingerprint": "03badc3551a4f44339f123528b3672cbfed8ce84", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
26/05/2026 11:39:40 UTC	TCP	5002	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 14:31:33 UTC	TCP	33060	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 14:28:42 UTC	TCP	636	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

184.105.247.195

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence