Renseignement sur les menaces

Brésil

187.17.228.218

FAI LANTEC COMUNICACAO MULTIMIDIA LTDA Première vue 14/05/2026 18:37 UTC Dernière vue 15/06/2026 07:38 UTC Risque Critique

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte · risque 45/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 14/05/2026 18:37 UTC

Dernière observation 15/06/2026 07:38 UTC

Événements (période) 24

MITRE ATT&CK principal TA0007 3 occurrences

Activité suspecte · risque 45/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « cpanel_probe » (signaux protocolaires) · confiance 50%

Confiance 50 % — Score WAF 8

Comparaison ASN / FAI

ASN 28267 · 187.17.228.0/24 · LACNIC — 2 pair(s) ASN/FAI listé(s) sur la base · 24 événements sur la période pour cette IP.

187.17.224.139 web attack 22/05/2026 00:15 UTC
187.17.230.84 telnet attack 06/05/2026 22:22 UTC

Événements (filtres)

Première observation

14/05/2026 18:37 UTC

Dernière observation

15/06/2026 07:38 UTC

Dernière activité (filtres)

15/06/2026 07:38 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 12 TLS TCP 11 CPANEL WHM TCP 1

HTTP

TLS

CPANEL WHM

Géolocalisation

Origine réseau déclarée

Brésil unknown unknown

FAI / réseau

Opérateur et dernière activité ban

LANTEC COMUNICACAO MULTIMIDIA LTDA 18 Port 2087 cpanel_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

cpanel probe · via CPANEL WHM:2087 · (sonde / probe)

Détails protocole

Aperçu payload

��oz߲�h �=��^U�P��0�1=�V� t�[F`�~{ijv�<��`�'��vS ��,�0��̨̩̪��]�a�W�S��+�/��

Port / service

2087 · CPANEL WHM

Service émulé

CPANEL-WHM

Raison confiance

Confiance 50 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0554

Confiance

50% Confiance modérée — signal unique

Famille de menace

enterprise_scan

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

24 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

24 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
15/06/2026 07:38:56 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	cpanel probe cpanel probe · via CPANEL WHM:2087 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated cpanel_whm_payload net_cpanel_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Payload ��oz߲�h �=��^U�P��0�1=�V� t�[F`�~{ijv�<��`�'��vS ��,�0��̨̩̪��]�a�W�S��+�/�� Pourquoi cette classification : Type « cpanel_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��oz߲�h �=��^U�P��0�1=�V� t�[F`�~{ijv�<��`�'��vS��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��oz߲�h �=��^U�P��0�1=�V� t�[F`�~{ijv�<��`�'��vS ��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 431, "payload_entropy": 5.848999221070646, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 28267, "country": "BR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 50, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "51584d32aeb6bcba72953119cc78a0e0836a8f64", "event_fingerprint": "bd94c1be47794e5b05816ea1bc287e14296ba082", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 45 }, "service_name": "cpanel-whm", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "507489b0a5ae898babccf3eab92385e8", "path_pattern_hash": "e7139612faef5d92b03716e3491ff506" }, "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "410c08e7a66c47a48bcb58d2f519f3b20c888a44", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "evidence_snippet": "\ufffd\ufffd\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ijv\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "attack_vector": "cpanel probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 50, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "cpanel probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ijv\ufffd<\ufffd\ufffd\ufffd\ufffd`\ufffd'\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "cpanel_whm_payload", "net_cpanel_probe", "tls_clienthello" ] }
15/06/2026 07:16:56 UTC	TCP	5038 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:5038 · (tentative d'exploit) · → /admin/config.php	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /admin/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5038 Chemin / cible /admin/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 5038, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 57, "tag_count": 7, "anomaly_count": 0, "campaign_key": "2be0874cecdbeb134042563160d049023cd26794", "event_fingerprint": "999c9fe90ba5ff6a46e4991c1decf1856a2abf86", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 5038, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17666e1e1cc14ef685f7a4ae67c8891bcb2cf372", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 5038, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "attack_vector": "config file probe \u00b7 via HTTP:5038 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "target_port_label": "5038 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5038, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 5038, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:5038 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "target_port_label": "5038 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5038" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path" ] }
15/06/2026 07:16:09 UTC	TCP	2087 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2087 · (tentative d'exploit) · → /admin/config.php	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1083 TA0001 TA0002 Protocole GET /admin/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2087 Chemin / cible /admin/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 2087, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 57, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0c4f3014eee362a17afe159620f74649a3a93b40", "event_fingerprint": "86051beaf77efaed2055a74af5c8502cbccf5da1", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 2087, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "19654913dc96c5c4d0588f72b2266a72ba27603e", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 2087, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "attack_vector": "config file probe \u00b7 via HTTP:2087 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "target_port_label": "2087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 2087, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2087 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "target_port_label": "2087 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path", "net_web_probe" ] }
15/06/2026 07:02:03 UTC	TCP	2086 · HTTP	http	Sonde fichier configuration config file probe · via HTTP:2086 · (tentative d'exploit) · → /admin/config.php	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1083 TA0001 TA0002 Protocole GET /admin/config.php UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2086 Chemin / cible /admin/config.php Service HTTP Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux Http Sensitive Upstream Waf Score Technique MITRE T1083 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ET Magento admin ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 2086, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6ecbefbedf616a82e597ff5aefd3a77313f737d6", "event_fingerprint": "cc93ea1d264ad5608c9f5373d06a2c0418d0a621", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ET Magento admin", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0854", "pat-0341", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "backup_file_scan", "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 2086, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1083" ], "mitre": "T1083", "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb3595b5c70268bcd0d7fb2dff6c60a3d8004816", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "attack_vector": "config file probe \u00b7 via HTTP:2086 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Sensitive", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1083", "mitre_technique": "T1083", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/admin\/config.php", "request_line": "GET \/admin\/config.php HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "port": 2086, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "config file probe \u00b7 via HTTP:2086 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/admin\/config.php", "evidence_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "target_port_label": "2086 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path" ] }
15/06/2026 07:00:19 UTC	TCP	2086 · TLS	tls	Sonde TLS tls probe · via TLS:2086 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 effe96911320528d Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2086 Chemin / cible — Service TLS Payload ��G�H_�%X`�b;�R>\��hO�4׳Y߸L� �Om�>2�y��]��]�D�@�O�vW�^��!��,�0��̨̩̪��]�a�W�S��+�/�� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��G�H_�%X`�b;�R>\��hO�4׳Y߸L� �Om�>2�y��]��]�D�@�O�vW�^��!��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��G�H_�%X`�b;�R>\��hO�4׳Y߸L� �Om�>2�y��]��]�D�@�O�vW�^��!��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "tls_ja3_hash": "effe96911320528dfdfdba040c9e915b", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 32, "bytes_in": 431, "payload_entropy": 5.8858937648428675, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "tls", "app_proto": "tls", "asn": 28267, "country": "BR", "dst_port": 2086, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d56f9be6fee8395bc77695e4b529822e28e9256d", "event_fingerprint": "8ab0dc376f91e9ede4efc546810baa23dae24976", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "effe96911320528dfdfdba040c9e915b", "payload_hash": "5cd3429ce5dc8ee64d57a10e5d99529a", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2086, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\u0006\ufffdR>\\\ufffd\u0007\ufffdhO\ufffd\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\u001e\ufffd>2\u001a\ufffd\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\u0006\ufffdR>\\\ufffd\u0007\ufffdhO\ufffd\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\u001e\ufffd>2\u001a\ufffd\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\u0006\ufffdR>\\\ufffd\u0007\ufffdhO\ufffd\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\u001e\ufffd>2\u001a\ufffd\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b67c362ae55a1afdc061a3bcf7cd0a76b099a62a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\u0006\ufffdR>\\\ufffd\u0007\ufffdhO\ufffd\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\u001e\ufffd>2\u001a\ufffd\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "tls_ja3": "effe96911320528dfdfdba040c9e915b", "port": 2086, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdG\ufffdH_\ufffd%X`\ufffdb;\ufffdR>\\\ufffd\ufffdhO\ufffd4\u05f3Y\u07f8L\ufffd \ufffdOm\ufffd>2\ufffdy\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "attack_vector": "tls probe \u00b7 via TLS:2086 \u00b7 (sonde \/ probe)", "target_port_label": "2086 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\u0006\ufffdR>\\\ufffd\u0007\ufffdhO\ufffd\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\u001e\ufffd>2\u001a\ufffd\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "tls_ja3": "effe96911320528dfdfdba040c9e915b", "port": 2086, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:2086 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdG\ufffdH_\ufffd%X`\ufffdb;\ufffdR>\\\ufffd\ufffdhO\ufffd4\u05f3Y\u07f8L\ufffd \ufffdOm\ufffd>2\ufffdy\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "target_port_label": "2086 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 06:53:57 UTC	TCP	5038 · TLS	tls	Sonde TLS tls probe · via TLS:5038 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 effe96911320528d Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5038 Chemin / cible — Service TLS Payload ��J�I�ֺj&Eu�ڿ��LIn��%�� c��xL'�9ğ?��iRG+�ˤ�4�3��,�0��̨̩̪��]�a�W�S��+�/�� Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 50 % — Motif catalogue confirmé Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��J�I�ֺj&Eu�ڿ��LIn��%�� c��xL'�9ğ?��iRG+�ˤ�4�3��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��J�I�ֺj&Eu�ڿ��LIn��%�� c��xL'�9ğ?��iRG+�ˤ�4�3��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "tls_ja3_hash": "effe96911320528dfdfdba040c9e915b", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 32, "bytes_in": 431, "payload_entropy": 5.890229864050712, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "tls", "app_proto": "tls", "asn": 28267, "country": "BR", "dst_port": 5038, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "07b2b6194ec6797867b9ef1a126f0cf27829d3f3", "event_fingerprint": "07639ed5a166b5a75852e9c4e931b1a3ab72aee3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "effe96911320528dfdfdba040c9e915b", "payload_hash": "4e2e48a28af18cf5fa866befe1f4e805", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5038, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdJ\ufffdI\u0006\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\u0019 c\ufffd\ufffd\ufffd\u0010\u000exL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdJ\ufffdI\u0006\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\u0019 c\ufffd\ufffd\ufffd\u0010\u000exL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdJ\ufffdI\u0006\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\u0019 c\ufffd\ufffd\ufffd\u0010\u000exL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c26096d20365db46264727d874a05977f639d991", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdJ\ufffdI\u0006\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\u0019 c\ufffd\ufffd\ufffd\u0010\u000exL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "tls_ja3": "effe96911320528dfdfdba040c9e915b", "port": 5038, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdJ\ufffdI\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffdLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd c\ufffd\ufffd\ufffdxL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "attack_vector": "tls probe \u00b7 via TLS:5038 \u00b7 (sonde \/ probe)", "target_port_label": "5038 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 5038, "protocol_emulated": null, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffdJ\ufffdI\u0006\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\u0019 c\ufffd\ufffd\ufffd\u0010\u000exL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "tls_ja3": "effe96911320528dfdfdba040c9e915b", "port": 5038, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "tls probe \u00b7 via TLS:5038 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdJ\ufffdI\ufffd\u05baj&Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffdLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd c\ufffd\ufffd\ufffdxL'\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd", "target_port_label": "5038 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "5038" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
06/06/2026 14:16:36 UTC	TCP	2086	http	Sonde fichier configuration	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2086 Chemin / cible /admin/config.php Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 2086, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6ecbefbedf616a82e597ff5aefd3a77313f737d6", "event_fingerprint": "cc93ea1d264ad5608c9f5373d06a2c0418d0a621", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0341", "pat-0606" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 2086, "service": "http" }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fb3595b5c70268bcd0d7fb2dff6c60a3d8004816", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path" ] }
06/06/2026 14:06:16 UTC	TCP	5038	tls	Sonde TLS	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5038 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��{]��r&k�'�6�9=�F�^��\| W��0R�Q7Pj0M�A� ��Ll�V��\|��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��{]��r&k�'�6�9=�F�^��\| W��0R�Q7Pj0M�A� ��Ll�V��\|��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "tls_ja3_hash": "effe96911320528dfdfdba040c9e915b", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 32, "bytes_in": 431, "payload_entropy": 5.849603935966429, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "tls", "app_proto": "tls", "asn": 28267, "country": "BR", "dst_port": 5038, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 22, "tag_count": 3, "anomaly_count": 0, "campaign_key": "07b2b6194ec6797867b9ef1a126f0cf27829d3f3", "event_fingerprint": "07639ed5a166b5a75852e9c4e931b1a3ab72aee3", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "effe96911320528dfdfdba040c9e915b", "payload_hash": "077804e3f285ffdbf4e981253093d45f", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 5038, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\u0013\ufffd\u001c{]\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr&k\ufffd'\u001a\ufffd6\ufffd9=\ufffdF\u0007\ufffd^\u0012\ufffd\ufffd\| W\ufffd\ufffd0R\ufffdQ7\u0017P\u0019j0M\ufffdA\u0004\ufffd\n\ufffd\ufffd\u0005\ufffdLl\u0015\ufffdV\ufffd\ufffd\|\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\u0013\ufffd\u001c{]\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr&k\ufffd'\u001a\ufffd6\ufffd9=\ufffdF\u0007\ufffd^\u0012\ufffd\ufffd\| W\ufffd\ufffd0R\ufffdQ7\u0017P\u0019j0M\ufffdA\u0004\ufffd\n\ufffd\ufffd\u0005\ufffdLl\u0015\ufffdV\ufffd\ufffd\|\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\u0013\ufffd\u001c{]\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr&k\ufffd'\u001a\ufffd6\ufffd9=\ufffdF\u0007\ufffd^\u0012\ufffd\ufffd\| W\ufffd\ufffd0R\ufffdQ7\u0017P\u0019j0M\ufffdA\u0004\ufffd\n\ufffd\ufffd\u0005\ufffdLl\u0015\ufffdV\ufffd\ufffd\|\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\u0013\ufffd\u001c{]\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr&k\ufffd'\u001a\ufffd6\ufffd9=\ufffdF\u0007\ufffd^\u0012\ufffd\ufffd\| W\ufffd\ufffd0R\ufffdQ7\u0017P\u0019j0M\ufffdA\u0004\ufffd\n\ufffd\ufffd\u0005\ufffdLl\u0015\ufffdV\ufffd\ufffd\|\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\u0013\ufffd\u001c{]\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr&k\ufffd'\u001a\ufffd6\ufffd9=\ufffdF\u0007\ufffd^\u0012\ufffd\ufffd\| W\ufffd\ufffd0R\ufffdQ7\u0017P\u0019j0M\ufffdA\u0004\ufffd\n\ufffd\ufffd\u0005\ufffdLl\u0015\ufffdV\ufffd\ufffd\|\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7e97b599dd633d2a6adbc417d641c2183cb1dbfe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
06/06/2026 13:58:29 UTC	TCP	2087	http	Sonde fichier configuration	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2087 Chemin / cible /admin/config.php Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 2087, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "53db9d27901bbb48b8564f284ee03cf746d8c739", "event_fingerprint": "86051beaf77efaed2055a74af5c8502cbccf5da1", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0341", "pat-0606" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 2087, "service": "http" }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f868c24b9fba2980bdf6fd5d6e382123d5cd1b2", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path" ] }
06/06/2026 13:44:05 UTC	TCP	2086	tls	Sonde TLS	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2086 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��^�)._�#��P)�n��_��׏�� !��G=%ܚ��#kf��2Y0��(�s��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��^�)._�#��P)�n��_��׏�� !��G=%ܚ��#kf��2Y0�� (�s��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "tls_ja3_hash": "effe96911320528dfdfdba040c9e915b", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 32, "bytes_in": 431, "payload_entropy": 5.923057670559709, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "tls", "app_proto": "tls", "asn": 28267, "country": "BR", "dst_port": 2086, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 21, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d56f9be6fee8395bc77695e4b529822e28e9256d", "event_fingerprint": "8ab0dc376f91e9ede4efc546810baa23dae24976", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "effe96911320528dfdfdba040c9e915b", "payload_hash": "4c508de20ec7efd065bbddc03da0a03e", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2086, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003^\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\u001a\ufffd\ufffd\u000b\ufffd(\ufffds\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003^\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\u001a\ufffd\ufffd\u000b\ufffd(\ufffds\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003^\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\u001a\ufffd\ufffd\u000b\ufffd(\ufffds\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003^\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\u001a\ufffd\ufffd\u000b\ufffd(\ufffds\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003^\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\u001a\ufffd\ufffd\u000b\ufffd(\ufffds\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "de2394aa8a37e3f973962c229b6edcbdc637ab84", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
06/06/2026 13:19:35 UTC	TCP	2087	tls	Sonde TLS	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��9�6Ųz��[��e��y�rI3/� ��6�_�=r �Ҽj�[�\��HN�/��,�0��̨̩̪��]�a�W�S��+�/�� Requête brute (extrait) ��9�6Ųz��[��e��y�rI3/� ��6�_�=r �Ҽj�[�\��HN �/��,�0��̨̩̪��]�a�W�S��+�/��\�`�V�R��$�(kj�s�w��m��#�'g@�r�v��l�� 98��:�� 32��ED�4�F��Q��P=�<�5� Meta JSON brut { "tls_ja3_hash": "effe96911320528dfdfdba040c9e915b", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 32, "bytes_in": 431, "payload_entropy": 5.868981266252983, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "tls", "app_proto": "tls", "asn": 28267, "country": "BR", "dst_port": 2087, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 21, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9dd8f5c85a887493f1e796c0616b327e9c11f965", "event_fingerprint": "f126252052ce10628d986b7abc7a3e590bdfe910", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "effe96911320528dfdfdba040c9e915b", "payload_hash": "0dbb09a5e173f8c9aa4499a9f0e8dd50", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 2087, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd9\ufffd6\u0172\u0019z\ufffd\ufffd\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\u0000\ufffd\u0002r\u0015\u0013I3\/\ufffd\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\n\ufffd\u04bcj\ufffd[\ufffd\\\u001a\u001c\ufffd\ufffd\ufffdHN\u0015\u000b\ufffd\/\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd9\ufffd6\u0172\u0019z\ufffd\ufffd\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\u0000\ufffd\u0002r\u0015\u0013I3\/\ufffd\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\n\ufffd\u04bcj\ufffd[\ufffd\\\u001a\u001c\ufffd\ufffd\ufffdHN\u0015\u000b\ufffd\/\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd9\ufffd6\u0172\u0019z\ufffd\ufffd\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\u0000\ufffd\u0002r\u0015\u0013I3\/\ufffd\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\n\ufffd\u04bcj\ufffd[\ufffd\\\u001a\u001c\ufffd\ufffd\ufffdHN\u0015\u000b\ufffd\/\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd9\ufffd6\u0172\u0019z\ufffd\ufffd\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\u0000\ufffd\u0002r\u0015\u0013I3\/\ufffd\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\n\ufffd\u04bcj\ufffd[\ufffd\\\u001a\u001c\ufffd\ufffd\ufffdHN\u0015\u000b\ufffd\/\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\ufffd`\ufffdV\ufffdR\u0000\ufffd\ufffd$\ufffd(\u0000k\u0000j\ufffds\ufffdw\u0000\ufffd\u0000\ufffd\u0000m\u0000\ufffd\ufffd#\ufffd'\u0000g\u0000@\ufffdr\ufffdv\u0000\ufffd\u0000\ufffd\u0000l\u0000\ufffd\ufffd\n\ufffd\u0014\u00009\u00008\u0000\ufffd\u0000\ufffd\ufffd\u0019\u0000:\u0000\ufffd\ufffd\t\ufffd\u0013\u00003\u00002\u0000\ufffd\u0000\ufffd\u0000E\u0000D\ufffd\u0018\u00004\u0000\ufffd\u0000F\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\u0000=\u0000\ufffd\u0000<\u0000\ufffd\u00005\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd9\ufffd6\u0172\u0019z\ufffd\ufffd\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\u0000\ufffd\u0002r\u0015\u0013I3\/\ufffd\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\n\ufffd\u04bcj\ufffd[\ufffd\\\u001a\u001c\ufffd\ufffd\ufffdHN\u0015\u000b\ufffd\/\ufffd\ufffd\ufffd\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b96c11776e1dbb9c926a835b1c6f724be0a82d2e", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
06/06/2026 13:16:26 UTC	TCP	5038	http	Sonde fichier configuration	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5038 Chemin / cible /admin/config.php Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « rce-0 » · Sonde fichier sensible / config · confiance 100% Confiance classification 100% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Generic config.php ES admin GET ActiveMQ console Ligne de requête `GET /admin/config.php HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62. Requête brute (extrait) GET /admin/config.php HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Accept: / Host: 62.3.50.33 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "dst_port": 5038, "risk_waf": 84, "risk_classification": 74, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 74, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 25 }, "risk_score": 57, "tag_count": 7, "anomaly_count": 0, "campaign_key": "2be0874cecdbeb134042563160d049023cd26794", "event_fingerprint": "999c9fe90ba5ff6a46e4991c1decf1856a2abf86", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 127, "precision_signals": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_sensitive", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0118", "pat-0341", "pat-0606" ], "matched_pattern_names": [ "LFI Generic config.php", "ES admin GET", "ActiveMQ console" ], "pattern_ids": [ "pat-0118", "pat-0341", "pat-0606" ], "classification_parent": "backup_file_scan", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "BR", "asn": 28267, "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "63279522febcf5538b72996c16a8660f", "payload_hash": "0b0c3190d88f62a32793d470bac0077c", "path_pattern_hash": "7bb92ff73e997d70f080d1bb140deb9a" }, "target_context": { "dst_port": 5038, "service": "http" }, "payload_preview": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "evidence": { "method": "GET", "path": "\/admin\/config.php", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/admin\/config.php HTTP\/1.1", "request_sample": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/admin\/config.php HTTP\/1.0\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\r\nAccept: \/\r\nHost: 62.", "classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal", "config_leak_scan" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17666e1e1cc14ef685f7a4ae67c8891bcb2cf372", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_admin", "http_sensitive_path" ] }
29/05/2026 09:47:22 UTC	TCP	2087	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2087 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "cfa9452728ceefbaef5ba6b2601437a31ed1ee78", "event_fingerprint": "591d1d556ef8441274a41d51a6ea93223e0688cb", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }
29/05/2026 09:39:05 UTC	TCP	5038	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5038 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "f443fd163a06301df1b1445a4c92eae454852c16", "event_fingerprint": "c5207f380cb5c609fd9c1355fee07e45aeefbe6d", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }
29/05/2026 09:06:03 UTC	TCP	5038	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 08:58:39 UTC	TCP	2086	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2086 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "1e61fdcaa7667cb11e1aabaa63a181e70bdbb0e2", "event_fingerprint": "9971cab2ab537e4ab85d31062bf99a32001a882f", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }
29/05/2026 08:53:53 UTC	TCP	2086	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 08:51:12 UTC	TCP	2087	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 16:05:04 UTC	TCP	2086	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 15:53:19 UTC	TCP	2087	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2087 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "cfa9452728ceefbaef5ba6b2601437a31ed1ee78", "event_fingerprint": "591d1d556ef8441274a41d51a6ea93223e0688cb", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }
21/05/2026 15:51:17 UTC	TCP	5038	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 15:18:16 UTC	TCP	2086	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2086 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "1e61fdcaa7667cb11e1aabaa63a181e70bdbb0e2", "event_fingerprint": "9971cab2ab537e4ab85d31062bf99a32001a882f", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }
21/05/2026 15:17:12 UTC	TCP	2087	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
21/05/2026 15:00:34 UTC	TCP	5038	http	web attack	Élevée	Critique · 100
Étape — WAF 19 Recommandation — Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /admin/config.php TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5038 Chemin / cible /admin/config.php Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Règles WAF 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "php", "http_ua_hash": "5002ada1c05fac60ce2af638d5f54066641d121c", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "d56b1a05959828284b2f82de68035f0901a81dcd", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 139, "payload_entropy": 5.27991234142951, "port_category": "registered", "org": "LANTEC COMUNICACAO MULTIMIDIA LTDA", "service": "http", "app_proto": "http", "asn": 28267, "country": "BR", "tag_count": 6, "anomaly_count": 0, "risk_score": 100, "campaign_key": "f443fd163a06301df1b1445a4c92eae454852c16", "event_fingerprint": "c5207f380cb5c609fd9c1355fee07e45aeefbe6d", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_probe_admin", "http_sensitive_path" ] }

187.17.228.218

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence