|
|
TCP |
29960 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:29960 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 61
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
29960
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 61
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:29960
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:29960 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "ac5c987e4656c6f5a946bf5c0063bda4fc1d6d0d",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.2110744109585845,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29960,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 61,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "0f24030a8f56e10f8448a94e32624860e15310f3",
"event_fingerprint": "dfd22b9159cd1e7c33665e0cdbbdd65e1b7283c2",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "5b3c81815e549a5d76b34b15299214d4",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 29960,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cae2f72a2800cdc8394e33f22ced02cadd99c104",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29960,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:29960 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "29960 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 61
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 29960,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29960,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:29960 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "29960 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "29960"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
27332 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:27332 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 63
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
27332
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 63
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:27332
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:27332 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1d9d7252e989a8d3dfae03eff803460f88599874",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.204831706757402,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 27332,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "efe5d7c4d5419e645f21e062226316ded0038ce4",
"event_fingerprint": "7e1d8894114c1d471159c2ed473dd525a7e6602f",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "4e2b0046f6324e5b238aa8cd4f051663",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 27332,
"service": "http",
"service_name": "http",
"risk_score": 63
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "52b16d2185380d72d8e62d7504efcf1178efcf6b",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27332,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:27332 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "27332 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 63,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 27332,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 27332,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:27332 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:27332\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "27332 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "27332"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
29318 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:29318 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 63
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
29318
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 63
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:29318
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:29318 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "1e36d8b49015420c13fd5f053b475afd308ca60e",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.21530035840002,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29318,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "6de531be4c7ba9f064d7467f4d15e3d7e79ff8ce",
"event_fingerprint": "55e0c973765c8016f9b22c37f6d18440d3f9b9ec",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "432e20b66dc34472b6d4786c39185fc8",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 29318,
"service": "http",
"service_name": "http",
"risk_score": 63
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72cbb4cdaff7305913dbefb783b46ab2a8145029",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29318,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:29318 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "29318 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 63
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 63,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 29318,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 29318,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:29318 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:29318\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "29318 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "29318"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
30018 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:30018 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30018
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
60%
Corrélation +10
Risque capteur
Moyen
· 56
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:30018
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:30018 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "c7f253781538b6922696c230a76ed63fe562401e",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.171798810969104,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 30018,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "390a038dadbf26c4a0555db9d848d306e8f07be0",
"event_fingerprint": "d1cbba49fd7f8768682e93dcc942299c2fe408eb",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.6,
"classification_confidence": 0.6,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c1c1411790b8c92e38ecf79bc781303c",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 30018,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "71ed91960d7596b9cbbbb24b7f250e050990aad1",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 30018,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:30018 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "30018 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30018,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 30018,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:30018 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30018\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"target_port_label": "30018 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30018"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 5,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
31431 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:31431 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 59
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
31431
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 59
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:31431
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:31431 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9f7127a9aa7d95a856b415b2a0f1e98bea160b4d",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.149581611021983,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 31431,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 59,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "066bf089dd705da1e28851df76945923c1586cd5",
"event_fingerprint": "71d7da75b79be24809f38d458ea527cb1ce7675d",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 59,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "0e35f45f6d19af8b0eecf7207f385e83",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 31431,
"service": "http",
"service_name": "http",
"risk_score": 59
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2e220159976d2c09d39fa0097fa94192a2ee3e30",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 31431,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:31431 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "31431 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 59,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 59,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 31431,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 31431,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:31431 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:31431\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "31431 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "31431"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
22636 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:22636 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
22636
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 55
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:22636
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:22636 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "bcf95918d1c4d50581c477fa255005a75affa90c",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.154579613338125,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 22636,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "1bb1dc5e5f1d35137407b4950a9a5c247c882696",
"event_fingerprint": "71ce8bcb747eb36c58a17fe5257c421fb8ddbf89",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "762b39b08aee9902c6e11ddaa0588463",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 22636,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "952e169ba0aa551df81132ecb98c8670f48140b8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22636,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:22636 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "22636 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 22636,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22636,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:22636 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22636\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "22636 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "22636"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
21055 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:21055 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
21055
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
100%
Corrélation +10
Risque capteur
Moyen
· 60
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:21055
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:21055 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versi
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "8226cdf89f9f698ea6bddeab233b4697fd3c7175",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 448,
"payload_entropy": 5.195586819592053,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 21055,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "4c147d763adcfa9c0eba0e0db6bbeeef3ff28bbd",
"event_fingerprint": "2e5c7af286c366c4599896646f5c9aaf2d77ca8c",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "0fbf6466d1392cf075fc3f09215c2bb0",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 21055,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versi",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f8fb6854ca644688edbc6de066fbceb92059440b",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21055,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"attack_vector": "http smuggling probe \u00b7 via HTTP:21055 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "21055 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 21055,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 21055,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:21055 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:21055\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent",
"target_port_label": "21055 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "21055"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
22280 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:22280 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
22280
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
69%
Corrélation +10
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:22280
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:22280 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "7d142885b6ece29cf6c2bd87ac82bb3354cf842a",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.162484194512611,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 22280,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "fd1536045c1cba5a393b555bf3fb636d3920cb81",
"event_fingerprint": "ae69c866ed3b5d77d52035a1ca2fb6659e8799a2",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "07962a11049d123fbbe29c4ab509ec34",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 22280,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9bc4d4c880289a7967ffa204d81f2f3498feadbd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22280,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:22280 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "22280 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 22280,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 22280,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:22280 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:22280\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "22280 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "22280"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 4,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
11976 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:11976 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11976
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 56
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:11976
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:11976 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "522c1fa261d44526b89992b0805ae71bf7811450",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.174999165850639,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 11976,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "69f45d186305428aaeebcccfb4e15ec088c8509d",
"event_fingerprint": "c2b49dc95e3306e7e53935009eea36177e432f68",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "c1d275b6bbcd7c938df0b986a314406c",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 11976,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "96ad186aa6fe4556c099529aec18ce32fa90c3ea",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 11976,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:11976 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "11976 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 56
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 11976,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 11976,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:11976 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:11976\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "11976 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "11976"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
6469 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:6469 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6469
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 57
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:6469
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
A
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6469 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "a9423aaa7cfd1560b7682bd45eb59cbca0a5c4e1",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 184,
"payload_entropy": 5.197840762032827,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 6469,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "99d23ca5619defafc3e9858ff1e850179812174a",
"event_fingerprint": "12ac799bff317add597a056fa1e6d1fd585804e0",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "2a78c167be3d7449e2342092db29182f",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 6469,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "85cd93fe50ab2e41afbcb05045c5540ff1704bbc",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6469,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"attack_vector": "lfi path traversal \u00b7 via HTTP:6469 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "6469 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 6469,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 6469,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:6469 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6469\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA",
"target_port_label": "6469 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "6469"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
4160 · HTTP
|
http
|
Sonde HTTP smuggling
http smuggling probe · via HTTP:4160 · (tentative d'exploit) · → /mcp
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
34
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950383:rce-14
950406:ssrf-3
Cible HTTP
POST
/mcp
TLS SNI
—
Capteur
paris-1
|
Méthode
POST
Port
4160
Chemin / cible
/mcp
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 60
Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
Ligne de requête
POST /mcp HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
rce-14
ssrf-3
nosqli-3
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:4160
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:4160 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio
Meta JSON brut
{
"http_header_count": 8,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "77ca92753413b1147b106b353bf2f1d20ed63ddd",
"http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 447,
"payload_entropy": 5.205146561654335,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 4160,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "8e968d74d91c3e5de89bc4d4d0a7edc766b58c22",
"event_fingerprint": "9d919aee89339d3f0c0149bd9e01a5116d54554d",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "b32597cad7f5621fa2072f3d37af469c",
"path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3"
},
"target_context": {
"dst_port": 4160,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"evidence": {
"method": "POST",
"path": "\/mcp",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"rce-14",
"ssrf-3",
"nosqli-3"
],
"request_line": "POST \/mcp HTTP\/1.1",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "69357e72bac274923ee9d78891a23bc85063a1a9",
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 4160,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"attack_vector": "http smuggling probe \u00b7 via HTTP:4160 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"target_port_label": "4160 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 60
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 4160,
"protocol_emulated": null,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/mcp",
"request_line": "POST \/mcp HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 4160,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "http smuggling probe \u00b7 via HTTP:4160 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:4160\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"target_port_label": "4160 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "4160"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950383:rce-14",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
25485 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:25485 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
25485
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 55
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:25485
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:25485 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "2cccf272f13b8ac8dd6a57451b6b852a3611c64e",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.1794743123023315,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 25485,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c7ec0c5f252d57881fcc344106755c016dae6675",
"event_fingerprint": "772a40e3d207e570abd2e96970fcb7aeb25e5033",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "ba83e36152546e263cd890c78543060a",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 25485,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "136e9501cba38946c35edb846200a9c83e3c448e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 25485,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:25485 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "25485 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 25485,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 25485,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:25485 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:25485\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "25485 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "25485"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"winrm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
5985 · WINRM
|
winrm
|
Sonde HTTP smuggling
http smuggling probe · via WINRM:5985 · (tentative d'exploit)
|
Élevée
|
Moyen · 52
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
Émulateur
WINRM
WAF
—
Recommandation
Investiguer
Tags
mozi_pattern
net_winrm_probe
winrm_emulated
winrm_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5985
Chemin / cible
—
Service
WINRM
Payload
POST /mcp HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-
Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 52
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0842
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
POST /mcp HTTP/1.1
Host: 62.3.50.33:5985
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Content-
Requête brute (extrait)
POST /mcp HTTP/1.1 Host: 62.3.50.33:5985 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303120556e617574686f72697a65640d0a5757572d41757468656e7469636174653a204e65676f74696174650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a",
"emulator_response_len": 77,
"bytes_in": 447,
"payload_entropy": 5.214173259425786,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "winrm",
"app_proto": "winrm",
"asn": 25369,
"country": "GB",
"dst_port": 5985,
"risk_waf": 8,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 1.7,
"risk_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 15
},
"risk_score": 52,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "410089d4fbeb13d0b4dbe6bdedeaeb5ff391b19f",
"event_fingerprint": "69c3741eda286def0bdd9c17863648ff58bc3b2f",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 84,
"precision_signals": [
"pat-0842"
],
"kb_rule_ids": [
"pat-0842"
],
"matched_patterns": [
"pat-0842",
"pat-0103"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0842",
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 15,
"risk_score": 52
},
"named_classification_skipped": false,
"service_name": "winrm",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ea5cb1214cfd1751d4a7df6ef1aaf3d5",
"path_pattern_hash": "06b55a159b5d265fc8976ebb0a005f8a"
},
"target_context": {
"dst_port": 5985,
"service": "winrm",
"service_name": "winrm",
"risk_score": 52
},
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"evidence": {
"request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio",
"payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"web_injection"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b88ba09b78ff77e69ac74e5aed6dd270b59378bf",
"protocol_details": {
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"port": 5985,
"service": "winrm",
"service_label_fr": "WINRM"
},
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"attack_vector": "http smuggling probe \u00b7 via WINRM:5985 \u00b7 (tentative d'exploit)",
"target_port_label": "5985 \u00b7 WINRM",
"emulator_service": "winrm",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via WINRM",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 15,
"risk_score": 52
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 52,
"risk_label": "Moyen",
"service_name": "winrm",
"service_label_fr": "WINRM",
"dst_port": 5985,
"protocol_emulated": true,
"tags_summary": [
"pat-0842"
],
"tags_summary_labels_fr": [
"pat-0842"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-winrm",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"port": 5985,
"service": "winrm",
"service_label_fr": "WINRM"
},
"attack_vector": "http smuggling probe \u00b7 via WINRM:5985 \u00b7 (tentative d'exploit)",
"evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:5985\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-",
"target_port_label": "5985 \u00b7 WINRM",
"emulator_service": "winrm",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "winrm",
"service_banner": "honeypot-winrm",
"service_os": "linux",
"dst_port": "5985"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"mozi_pattern",
"net_winrm_probe",
"winrm_emulated",
"winrm_payload"
]
}
|
|
|
TCP |
13573 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:13573 · (tentative d'exploit) · → /sse
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sse
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
13573
Chemin / cible
/sse
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /sse HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /sse HTTP/1.1
Host: 62.3.50.33:13573
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept:
Requête brute (extrait)
GET /sse HTTP/1.1 Host: 62.3.50.33:13573 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "13468698c5db89c37fe5cbfc6d46d70f54e51e0d",
"http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 191,
"payload_entropy": 5.1540567574736755,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 13573,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 58,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d5d2facf54482a44e8e7aabf57c8163029169bcc",
"event_fingerprint": "1ba2748f2ae5f8688087a75ffa4fa861cde38570",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "b3f0b21fcc161b810bc5f370757ec6ad",
"path_pattern_hash": "9c55a765acd7167a274de1a30a6df566"
},
"target_context": {
"dst_port": 13573,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: ",
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"evidence": {
"method": "GET",
"path": "\/sse",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/sse HTTP\/1.1",
"request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "14b959721ee21e9ce7cc320be4cbfcbc9b5de118",
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 13573,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"attack_vector": "lfi path traversal \u00b7 via HTTP:13573 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"target_port_label": "13573 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 58
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 13573,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/sse",
"request_line": "GET \/sse HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 13573,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:13573 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse",
"evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:13573\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:",
"target_port_label": "13573 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "13573"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
20792 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:20792 · (tentative d'exploit)
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20792
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 58
Confiance : Confiance 59 % — 5 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Conne
Requête brute (extrait)
GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 20792,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "6772164cb9424bd701afc3cd5c620a403e058989",
"event_fingerprint": "88d34d89ba47993c0e6d3208bc60e77ea960bcd8",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "973598b044a4648e3c3fc5667c0c8ce9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 20792,
"service": "http",
"service_name": "http",
"risk_score": 58
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3438ff5261f6e0809131ed2e28ff564610430c04",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 20792,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"attack_vector": "lfi path traversal \u00b7 via HTTP:20792 \u00b7 (tentative d'exploit)",
"target_port_label": "20792 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25,
"risk_score": 58
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 58,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 20792,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 20792,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:20792 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"target_port_label": "20792 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "20792"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
30152 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:30152 · (tentative d'exploit) · → /favicon.ico
|
Élevée
|
Moyen · 57
|
|
Étape
Tentative d'exploit
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0001
TA0001
TA0002
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Émulateur
HTTP
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30152
Chemin / cible
/favicon.ico
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50%
Confiance classification
60%
Corrélation +10
Risque capteur
Moyen
· 57
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:30152
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:30152 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "12c4099cca802808427d8b5674886c053a8dca88",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.165608286494906,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 30152,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b64ff5e098c3672be2ad983928b8725c68dbf0b8",
"event_fingerprint": "2322dbbec35d4473e3a7b7c34f364d16b5180af4",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.6,
"classification_confidence": 0.6,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 10
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "17d17fe246f12efd35b826cb2da9b952",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 30152,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cdb10303b8aa99e1611fbe25202c15926b4630f2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 30152,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:30152 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "30152 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (185.216.145.0\/24)",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 10
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30152,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"port": 30152,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:30152 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:30152\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"target_port_label": "30152 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (185.216.145.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30152"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "185.216.145.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
3352
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 55
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3352
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:3352
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:3352 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "bff3efe26a95760af7be1015bb3e6f73f6270786",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.169630074180798,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 3352,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "83cd8988a14569aa53eb34bf1bc00b56cbb0d047",
"event_fingerprint": "03a626c44c2ba30984688fc4067f0e75b0b711a8",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "2b8f68e04a1b8b396ae84714cfeba293",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 3352,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3352\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3352\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3352\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3352\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3352\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9b4d40a74b12b93614261d785ffa8298ab076f11",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
27414
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 56
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
27414
Chemin / cible
/
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:27414
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:27414 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9ab0f82c8590e83acac10e02d4afca36fc358b10",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.216046067278179,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 27414,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 56,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "d34b120413d289ef68df46b119f68726f81ff249",
"event_fingerprint": "81b9d0c479b390dff99879bfcc9ea19d6503594c",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "57832fa3ebba72ff43837889ce45ccd0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 27414,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27414\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27414\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27414\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27414\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27414\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "159562cf457d8ce98588fdec1e0e188d495e7549",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
29443
|
http
|
Traversal LFI
|
Élevée
|
Moyen · 58
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
29443
Chemin / cible
/
Pourquoi cette classification : Tags WAF: lfi-14, rce-0, ssrf-3
Confiance classification
59%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:29443
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:29443 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: */* Connection: close Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "53a0dc9fbaf14632b7e4bcbff1723d294c94c1b4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.216046067278179,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 29443,
"risk_waf": 100,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 100,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 58,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "335db89fc643771cb375bcfa19101ebca1508a2d",
"event_fingerprint": "1c366bcc097a878a6554faabce25a5577158d5aa",
"classification_reason": "Tags WAF: lfi-14, rce-0, ssrf-3",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"WAF \u00ab lfi-14 \u00bb"
],
"classification_parent": "path_traversal",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "b5f6eb0c47d20606b507f69d80c8f1f6",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 29443,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29443\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29443\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29443\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29443\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:29443\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"classification_reason": "Tags WAF: lfi-14, rce-0, ssrf-3"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "edf061370d165abf7b5a2d310c8c35fbed0171d2",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
2663
|
http
|
web attack
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2663
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2663
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "d4ed5ccf62316cf4c108d2a13e764371f4c9c725",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.178934354379854,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 2663,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 64,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "67cd8cd5b7252b4a2e9ec01d1cecadfc49cbdfe7",
"event_fingerprint": "7a5821546e2db0ed192211538bcfcd0fb95a5325",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "fbd3bf0f706d523120a38a245ae5bf2b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2663,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2663\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r",
"event_signature": "b731ece02323dfb3b26cec8ecf0a9ba4573f1651",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
27960
|
http
|
web attack
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
27960
Chemin / cible
/favicon.ico
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:27960
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "7acba156b822ec7508b501fe6ddb57167fd28769",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.204771056753481,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 27960,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 64,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "44f405c62c4a86bd455e39cb893fb0fb8d8fe14e",
"event_fingerprint": "636decd990d1032c34c7ec8932051c7a3e9ef952",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "a79eeff999b03b2a50abfa944fa195c9",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 27960,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:27960\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"event_signature": "fad95ba373815b0d6ed285a0847617d564225bed",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
26078
|
http
|
web attack
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
26078
Chemin / cible
/favicon.ico
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:26078
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "d0824c477169cf89ca21b7502dc3a5836386acfd",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.204771056753481,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 26078,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 60,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "6081aea8b5c786e1c1a4e7d5419bddb2a181ccfd",
"event_fingerprint": "430da5a79600198dd6c40d211d2ce082bf166338",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "5715492d8645e6dbf1855fffa3ba3cf8",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 26078,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26078\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"event_signature": "654661b4f326fc222588da4589f2e31b50bc3130",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
14741
|
http
|
web attack
|
Élevée
|
Moyen · 62
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
27
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
14741
Chemin / cible
/favicon.ico
Confiance classification
92%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:14741
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "93f6206c8707fb8d8e2ea701d59656399cfa44a0",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.196070297432201,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 14741,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 62,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "bed662a8b559d7492b2c6ec5e126446c8ae360ff",
"event_fingerprint": "09964d244fada36b798554c8ba573393792bc8a1",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "9c3930c62cb8b501ef71b95d06b8159d",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 14741,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.92,
"classification_confidence": 0.92,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14741\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n",
"event_signature": "f1a73a47862028d02a65fcb7b380de5930df3441",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
12270
|
http
|
web attack
|
Élevée
|
Moyen · 64
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12270
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12270
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "9c862b4e101f4a2b92020bfc43024c3da4d1e25a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.193057561531052,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"dst_port": 12270,
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 64,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "eaa0a7ee8828818883d8b734f4664d3f85183560",
"event_fingerprint": "0e730e7dfbdcaab28d39d87f0ce80bb130829d64",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "47fffaa6929d0dc6f4dd6e5d1257bf5f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 12270,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12270\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*",
"event_signature": "82c5359151348db9f32830b3ee8a1f9e8081e69f",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6556
|
—
|
Sonde port
|
Faible
|
Faible · 12
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6023
|
—
|
Sonde port
|
Faible
|
Faible · 11
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6023
Chemin / cible
—
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 12,
"payload_entropy": 0.8166890883150209,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": null,
"app_proto": null,
"asn": 25369,
"country": "GB",
"dst_port": 6023,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 11,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "c92e5e43ec6c1464bebe51564fd3f1ec376ce077",
"event_fingerprint": "0a81c71726063bb670bc52b72c57a50f6cb9037f",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad33d13d6bc3bd05c9957f130811a989",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 6023
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.55,
"classification_confidence": 0.55,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"event_signature": "edaf85785230ed2fb4502e7d460d4a8f8daed1fb",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
5608
|
http
|
web attack
|
Élevée
|
Moyen · 60
|
|
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
30
Recommandation
Investiguer
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5608
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Accept: */*
Conne
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"risk_waf": 100,
"risk_classification": 100,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 25,
"risk_boost": 0,
"risk_breakdown": {
"waf": 100,
"classification": 100,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 25
},
"risk_score": 60,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "8c3e51e9d5c0b8ff3759648b7ec870da44bca9d5",
"event_fingerprint": "67358e142ac9e2997ea774757db906ccadbd2f9e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 25369,
"org": "Hydra Communications Ltd",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154",
"payload_hash": "973598b044a4648e3c3fc5667c0c8ce9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5608,
"service": "http"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"threat_family": [
"unknown"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne",
"event_signature": "4d50ab4d42c943676d6c4c1b7d2506d52afd9e7f",
"ban_policy": "advisory_investigate",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
16899
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
16899
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "d7cf28cc747f21f88da082c754c2bc35beafc23d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.216046067278179,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "dd7a1f185d322098c457795044368c5503dc009f",
"event_fingerprint": "61c17ab8c1cbe2167730c73bd4980339e7b29a5c",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5227
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5227
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "90c678c07ecb5688daa5120e50496e936b61ec0f",
"event_fingerprint": "6f3bbc6dffe151da1be3d1f97f7a2ef2fecf0a9c",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
9192
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9442
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6704
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
6704
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "a98e3cde58167451a4f59aa9dbd728f892e5d8c8",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.206419253236291,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "cf88547fa88376426217286752f3f1c4c6331015",
"event_fingerprint": "60eae7fd5f91ab051bb47bab70a61c48da7e20bc",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
1073
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2582
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
7447
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
7447
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "8a94b4ed9af46d03a0a0efeb04066e400464942e",
"event_fingerprint": "225161aee346003b32df7878c0954938681fd7e2",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
16304
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
14178
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
6843
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
17298
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
25489
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
25489
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "b732379e768f9f913cbd8f8a9928b465623f33c6",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.230357705184346,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "61997f11b87bd34a035847a1bdc47a901a1c7aa9",
"event_fingerprint": "a5395a67379e62647057d677b00d9ed46f8f1461",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
20774
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20774
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "c1e5935fc07c9f85e371a2a8ec05c92c886d3385",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.216046067278179,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "3471179c91def72d98bf709293881edc6b7fc213",
"event_fingerprint": "eb72f6ca4985513fb7fe20f6d9b04438e67478c8",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
31472
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
31472
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 144,
"payload_entropy": 5.097605644356062,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "c63736fd0466105a073e427d0f63831a0d24bd0f",
"event_fingerprint": "469f6f58e765fdb46a90573721388dc6675d05ab",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
12436
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
12436
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "dd7d484cd320d047ebac55e2c15f1b947798d3f1",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.197395995451532,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "83a737eb34fb494ffedfbec29b9e2f9397a0faa9",
"event_fingerprint": "4c243b37e2cd052dc76a35de15be57db1a88f523",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
8926
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
11403
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11403
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "344a1a432a271ddb523697d4d8d69e43a0acb4d4",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.180989369174099,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "67277556d694f7b696bbf4b932f89c5398ca0ec0",
"event_fingerprint": "c333ba445168f263cc90862c210d448fd6bd7b03",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
6769
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
11185
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
25201
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
26432
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
26432
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1",
"http_host_hash": "34f65ac1409ee7261e86ccb87f376ca96db6d02d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.2002133804841355,
"port_category": "registered",
"org": "Hydra Communications Ltd",
"service": "http",
"app_proto": "http",
"asn": 25369,
"country": "GB",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "7629b5760e32162eafd846f912639acd1905ced3",
"event_fingerprint": "849772c74a5da0b1d2875d43ed77724a95f6c1c5",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
22776
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|