{"ip":"187.17.228.218","exported_at":"2026-06-18T06:53:27+00:00","period_days":30,"metrics":{"events7d":6,"distinct_ports":3,"distinct_classifications":3,"max_severity":9,"last_sensor_id":"paris-1","max_waf_score":19,"max_risk_score":100,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["enterprise_scan"],"recommended_action":"monitor","confidence":0.5,"risk_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":3,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 45\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":50,"behavior":0,"geo":0,"protocol":30,"novelty":15,"risk_score":45},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":50,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0554"],"tags_summary":["pat-0554"],"attack_vector":"cpanel probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\u0011vS\f\u001c\u0000\ufffd\u0013\u0001\u0013\u0002\u0013\u0003\u0013\u0004\u0013\u0005\ufffd,\ufffd0\u0000\ufffd\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\u0000\ufffd\ufffd+\ufffd\/\u0000\ufffd\u0000\ufffd","port":2087,"service":"cpanel-whm","service_label_fr":"CPANEL WHM"},"protocol_summary_fr":"Payload \u0016\u0003\u0001\u0001\ufffd\u0001\u0000\u0001\ufffd\u0003\u0003\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\u0007\ufffd^U\ufffdP\ufffd\u0011\ufffd\ufffd\u00060\ufffd\u000e1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ij\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u2026 \u00b7 CPANEL WHM:2087","evidence_snippet":"\ufffd\ufffd\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ijv\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd","target_port_label":"2087 \u00b7 CPANEL WHM","emulator_service":"cpanel-whm","confidence_reason":"Confiance 50 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","classification_reason_label_fr":"Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 50 % \u2014 Score WAF 8","payload_preview":"\ufffd\ufffd\ufffdoz\u07f2\ufffdh\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \rt\ufffd[F`\ufffd~{ijv\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd"},"events":[{"id":9117868,"ip":"187.17.228.218","ts":"2026-06-15 07:38:56.000000","proto":"tcp","src_port":64722,"dst_port":2087,"service":"cpanel-whm","classification":"cpanel_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e\u0022, \u0022emulator_response_len\u0022: 125, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.848999221070646, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022app_proto\u0022: \u0022cpanel-whm\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2087, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002251584d32aeb6bcba72953119cc78a0e0836a8f64\u0022, \u0022event_fingerprint\u0022: \u0022bd94c1be47794e5b05816ea1bc287e14296ba082\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022507489b0a5ae898babccf3eab92385e8\u0022, \u0022path_pattern_hash\u0022: \u0022e7139612faef5d92b03716e3491ff506\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022risk_score\u0022: 45}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\\u0007\ufffd^U\ufffdP\ufffd\\u0011\ufffd\ufffd\\u00060\ufffd\\u000e1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ij\\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\\u0011vS\\f\\u001c\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\\u0007\ufffd^U\ufffdP\ufffd\\u0011\ufffd\ufffd\\u00060\ufffd\\u000e1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ij\\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\\u0011vS\\f\\u001c\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\\u0007\ufffd^U\ufffdP\ufffd\\u0011\ufffd\ufffd\\u00060\ufffd\\u000e1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ij\\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\\u0011vS\\f\\u001c\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022410c08e7a66c47a48bcb58d2f519f3b20c888a44\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\\u0007\ufffd^U\ufffdP\ufffd\\u0011\ufffd\ufffd\\u00060\ufffd\\u000e1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ij\\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\\u0011vS\\f\\u001c\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ijv\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022cpanel probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 CPANEL WHM\u0022, \u0022emulator_service\u0022: \u0022cpanel-whm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022, \u0022dst_port\u0022: 2087, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-cpanel-whm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\\u0007\ufffd^U\ufffdP\ufffd\\u0011\ufffd\ufffd\\u00060\ufffd\\u000e1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ij\\u0015v\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffd\\u0011vS\\f\\u001c\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022cpanel-whm\u0022, \u0022service_label_fr\u0022: \u0022CPANEL WHM\u0022}, \u0022attack_vector\u0022: \u0022cpanel probe \u00b7 via CPANEL WHM:2087 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdoz\u07f2\ufffdh\\n\ufffd=\ufffd\ufffd^U\ufffdP\ufffd\ufffd\ufffd0\ufffd1=\ufffdV\ufffd \\rt\ufffd[F`\ufffd~{ijv\ufffd\u003C\ufffd\ufffd\ufffd\ufffd`\ufffd\u0027\ufffd\ufffd\ufffdvS\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 CPANEL WHM\u0022, \u0022emulator_service\u0022: \u0022cpanel-whm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022cpanel_whm\u0022, \u0022service_banner\u0022: \u0022honeypot-cpanel-whm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222087\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cpanel_whm_emulated\u0022, \u0022cpanel_whm_payload\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cpanel_whm_emulated\u0022, \u0022cpanel_whm_payload\u0022, \u0022net_cpanel_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":9097024,"ip":"187.17.228.218","ts":"2026-06-15 07:16:56.000000","proto":"tcp","src_port":56788,"dst_port":5038,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 5038, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222be0874cecdbeb134042563160d049023cd26794\u0022, \u0022event_fingerprint\u0022: \u0022999c9fe90ba5ff6a46e4991c1decf1856a2abf86\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5038, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002217666e1e1cc14ef685f7a4ae67c8891bcb2cf372\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 5038, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:5038 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022target_port_label\u0022: \u00225038 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5038, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 5038, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:5038 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022target_port_label\u0022: \u00225038 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225038\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":9096988,"ip":"187.17.228.218","ts":"2026-06-15 07:16:09.000000","proto":"tcp","src_port":61474,"dst_port":2087,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2087, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220c4f3014eee362a17afe159620f74649a3a93b40\u0022, \u0022event_fingerprint\u0022: \u002286051beaf77efaed2055a74af5c8502cbccf5da1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2087, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002219654913dc96c5c4d0588f72b2266a72ba27603e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:2087 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2087, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2087, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:2087 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022target_port_label\u0022: \u00222087 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222087\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":9096228,"ip":"187.17.228.218","ts":"2026-06-15 07:02:03.000000","proto":"tcp","src_port":61474,"dst_port":2086,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2086, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226ecbefbedf616a82e597ff5aefd3a77313f737d6\u0022, \u0022event_fingerprint\u0022: \u0022cc93ea1d264ad5608c9f5373d06a2c0418d0a621\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ET Magento admin\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0854\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2086, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fb3595b5c70268bcd0d7fb2dff6c60a3d8004816\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2086, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:2086 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022target_port_label\u0022: \u00222086 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2086, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/admin\/config.php\u0022, \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022port\u0022: 2086, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:2086 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/admin\/config.php\u0022, \u0022evidence_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022target_port_label\u0022: \u00222086 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 3 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222086\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":9096106,"ip":"187.17.228.218","ts":"2026-06-15 07:00:19.000000","proto":"tcp","src_port":64722,"dst_port":2086,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 32, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.8858937648428675, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2086, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d56f9be6fee8395bc77695e4b529822e28e9256d\u0022, \u0022event_fingerprint\u0022: \u00228ab0dc376f91e9ede4efc546810baa23dae24976\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022payload_hash\u0022: \u00225cd3429ce5dc8ee64d57a10e5d99529a\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2086, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\\u0006\ufffdR\u003E\\\\\ufffd\\u0007\ufffdhO\ufffd\\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\\u001e\ufffd\u003E2\\u001a\ufffd\\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\\u0006\ufffdR\u003E\\\\\ufffd\\u0007\ufffdhO\ufffd\\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\\u001e\ufffd\u003E2\\u001a\ufffd\\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\\u0006\ufffdR\u003E\\\\\ufffd\\u0007\ufffdhO\ufffd\\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\\u001e\ufffd\u003E2\\u001a\ufffd\\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b67c362ae55a1afdc061a3bcf7cd0a76b099a62a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\\u0006\ufffdR\u003E\\\\\ufffd\\u0007\ufffdhO\ufffd\\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\\u001e\ufffd\u003E2\\u001a\ufffd\\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022port\u0022: 2086, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdG\ufffdH_\ufffd%X`\ufffdb;\ufffdR\u003E\\\\\ufffd\ufffdhO\ufffd4\u05f3Y\u07f8L\ufffd \ufffdOm\ufffd\u003E2\ufffdy\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:2086 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222086 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 2086, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffdG\ufffdH_\ufffd%X`\ufffdb;\\u0006\ufffdR\u003E\\\\\ufffd\\u0007\ufffdhO\ufffd\\u00074\u05f3Y\u07f8L\ufffd \ufffdOm\\u001e\ufffd\u003E2\\u001a\ufffd\\u0019y\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022port\u0022: 2086, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:2086 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdG\ufffdH_\ufffd%X`\ufffdb;\ufffdR\u003E\\\\\ufffd\ufffdhO\ufffd4\u05f3Y\u07f8L\ufffd \ufffdOm\ufffd\u003E2\ufffdy\ufffd\ufffd]\ufffd\ufffd\ufffd]\ufffdD\ufffd@\ufffdO\ufffdvW\ufffd^\ufffd\ufffd!\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00222086 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222086\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":9095707,"ip":"187.17.228.218","ts":"2026-06-15 06:53:57.000000","proto":"tcp","src_port":64722,"dst_port":5038,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 32, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.890229864050712, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 5038, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207b2b6194ec6797867b9ef1a126f0cf27829d3f3\u0022, \u0022event_fingerprint\u0022: \u002207639ed5a166b5a75852e9c4e931b1a3ab72aee3\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022payload_hash\u0022: \u00224e2e48a28af18cf5fa866befe1f4e805\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5038, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffdJ\ufffdI\\u0006\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\\u0019 c\ufffd\ufffd\ufffd\\u0010\\u000exL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffdJ\ufffdI\\u0006\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\\u0019 c\ufffd\ufffd\ufffd\\u0010\\u000exL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffdJ\ufffdI\\u0006\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\\u0019 c\ufffd\ufffd\ufffd\\u0010\\u000exL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c26096d20365db46264727d874a05977f639d991\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffdJ\ufffdI\\u0006\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\\u0019 c\ufffd\ufffd\ufffd\\u0010\\u000exL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022port\u0022: 5038, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdJ\ufffdI\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffdLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd c\ufffd\ufffd\ufffdxL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5038 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00225038 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 5038, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd\ufffdJ\ufffdI\\u0006\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffd\\u001eLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd\\u0019 c\ufffd\ufffd\ufffd\\u0010\\u000exL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022port\u0022: 5038, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:5038 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdJ\ufffdI\ufffd\u05baj\u0026Eu\ufffd\u06bf\ufffd\ufffd\ufffd\ufffdLIn\ufffd\ufffd\ufffd\ufffd%\ufffd\ufffd c\ufffd\ufffd\ufffdxL\u0027\ufffd9\u011f?\ufffd\ufffd\ufffd\ufffdiRG+\ufffd\u02e4\ufffd4\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd,\ufffd0\ufffd\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\ufffd\ufffd+\ufffd\/\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00225038 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225038\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":8392397,"ip":"187.17.228.218","ts":"2026-06-06 14:16:36.000000","proto":"tcp","src_port":62477,"dst_port":2086,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2086, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226ecbefbedf616a82e597ff5aefd3a77313f737d6\u0022, \u0022event_fingerprint\u0022: \u0022cc93ea1d264ad5608c9f5373d06a2c0418d0a621\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2086, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fb3595b5c70268bcd0d7fb2dff6c60a3d8004816\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":8391975,"ip":"187.17.228.218","ts":"2026-06-06 14:06:16.000000","proto":"tcp","src_port":64030,"dst_port":5038,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 32, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.849603935966429, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 5038, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 22, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002207b2b6194ec6797867b9ef1a126f0cf27829d3f3\u0022, \u0022event_fingerprint\u0022: \u002207639ed5a166b5a75852e9c4e931b1a3ab72aee3\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022payload_hash\u0022: \u0022077804e3f285ffdbf4e981253093d45f\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5038, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0013\ufffd\\u001c{]\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr\u0026k\ufffd\u0027\\u001a\ufffd6\ufffd9=\ufffdF\\u0007\ufffd^\\u0012\ufffd\ufffd| W\ufffd\ufffd0R\ufffdQ7\\u0017P\\u0019j0M\ufffdA\\u0004\ufffd\\n\ufffd\ufffd\\u0005\ufffdLl\\u0015\ufffdV\ufffd\ufffd|\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0013\ufffd\\u001c{]\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr\u0026k\ufffd\u0027\\u001a\ufffd6\ufffd9=\ufffdF\\u0007\ufffd^\\u0012\ufffd\ufffd| W\ufffd\ufffd0R\ufffdQ7\\u0017P\\u0019j0M\ufffdA\\u0004\ufffd\\n\ufffd\ufffd\\u0005\ufffdLl\\u0015\ufffdV\ufffd\ufffd|\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0013\ufffd\\u001c{]\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr\u0026k\ufffd\u0027\\u001a\ufffd6\ufffd9=\ufffdF\\u0007\ufffd^\\u0012\ufffd\ufffd| W\ufffd\ufffd0R\ufffdQ7\\u0017P\\u0019j0M\ufffdA\\u0004\ufffd\\n\ufffd\ufffd\\u0005\ufffdLl\\u0015\ufffdV\ufffd\ufffd|\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0013\ufffd\\u001c{]\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr\u0026k\ufffd\u0027\\u001a\ufffd6\ufffd9=\ufffdF\\u0007\ufffd^\\u0012\ufffd\ufffd| W\ufffd\ufffd0R\ufffdQ7\\u0017P\\u0019j0M\ufffdA\\u0004\ufffd\\n\ufffd\ufffd\\u0005\ufffdLl\\u0015\ufffdV\ufffd\ufffd|\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\\u0013\ufffd\\u001c{]\\u001d\ufffd\ufffd\ufffd\ufffd\ufffdr\u0026k\ufffd\u0027\\u001a\ufffd6\ufffd9=\ufffdF\\u0007\ufffd^\\u0012\ufffd\ufffd| W\ufffd\ufffd0R\ufffdQ7\\u0017P\\u0019j0M\ufffdA\\u0004\ufffd\\n\ufffd\ufffd\\u0005\ufffdLl\\u0015\ufffdV\ufffd\ufffd|\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e97b599dd633d2a6adbc417d641c2183cb1dbfe\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":8391687,"ip":"187.17.228.218","ts":"2026-06-06 13:58:29.000000","proto":"tcp","src_port":62477,"dst_port":2087,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2087, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002253db9d27901bbb48b8564f284ee03cf746d8c739\u0022, \u0022event_fingerprint\u0022: \u002286051beaf77efaed2055a74af5c8502cbccf5da1\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2087, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226f868c24b9fba2980bdf6fd5d6e382123d5cd1b2\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":8391223,"ip":"187.17.228.218","ts":"2026-06-06 13:44:05.000000","proto":"tcp","src_port":64030,"dst_port":2086,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 32, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.923057670559709, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2086, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d56f9be6fee8395bc77695e4b529822e28e9256d\u0022, \u0022event_fingerprint\u0022: \u00228ab0dc376f91e9ede4efc546810baa23dae24976\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022payload_hash\u0022: \u00224c508de20ec7efd065bbddc03da0a03e\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2086, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003^\\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\\u001a\ufffd\ufffd\\u000b\ufffd(\ufffds\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003^\\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\\u001a\ufffd\ufffd\\u000b\ufffd(\ufffds\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003^\\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\\u001a\ufffd\ufffd\\u000b\ufffd(\ufffds\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003^\\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\\u001a\ufffd\ufffd\\u000b\ufffd(\ufffds\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003^\\u0014\ufffd)._\ufffd#\ufffd\ufffd\ufffd\ufffd\\u000eP)\ufffdn\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd\u05cf\ufffd\ufffd\ufffd !\\u0013\ufffd\ufffdG=\uecda%\u071a\ufffd\ufffd\ufffd#kf\ufffd\ufffd2Y0\\u001a\ufffd\ufffd\\u000b\ufffd(\ufffds\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de2394aa8a37e3f973962c229b6edcbdc637ab84\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":8390172,"ip":"187.17.228.218","ts":"2026-06-06 13:19:35.000000","proto":"tcp","src_port":64030,"dst_port":2087,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 32, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.868981266252983, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 2087, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 21, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229dd8f5c85a887493f1e796c0616b327e9c11f965\u0022, \u0022event_fingerprint\u0022: \u0022f126252052ce10628d986b7abc7a3e590bdfe910\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022payload_hash\u0022: \u00220dbb09a5e173f8c9aa4499a9f0e8dd50\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2087, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd9\ufffd6\u0172\\u0019z\ufffd\ufffd\\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\\u0000\ufffd\\u0002r\\u0015\\u0013I3\/\ufffd\\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\\n\ufffd\u04bcj\ufffd[\ufffd\\\\\\u001a\\u001c\ufffd\ufffd\ufffdHN\\u0015\\u000b\ufffd\/\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd9\ufffd6\u0172\\u0019z\ufffd\ufffd\\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\\u0000\ufffd\\u0002r\\u0015\\u0013I3\/\ufffd\\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\\n\ufffd\u04bcj\ufffd[\ufffd\\\\\\u001a\\u001c\ufffd\ufffd\ufffdHN\\u0015\\u000b\ufffd\/\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd9\ufffd6\u0172\\u0019z\ufffd\ufffd\\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\\u0000\ufffd\\u0002r\\u0015\\u0013I3\/\ufffd\\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\\n\ufffd\u04bcj\ufffd[\ufffd\\\\\\u001a\\u001c\ufffd\ufffd\ufffdHN\\u0015\\u000b\ufffd\/\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd9\ufffd6\u0172\\u0019z\ufffd\ufffd\\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\\u0000\ufffd\\u0002r\\u0015\\u0013I3\/\ufffd\\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\\n\ufffd\u04bcj\ufffd[\ufffd\\\\\\u001a\\u001c\ufffd\ufffd\ufffdHN\\u0015\\u000b\ufffd\/\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\\\\ufffd`\ufffdV\ufffdR\\u0000\ufffd\ufffd$\ufffd(\\u0000k\\u0000j\ufffds\ufffdw\\u0000\ufffd\\u0000\ufffd\\u0000m\\u0000\ufffd\ufffd#\ufffd\u0027\\u0000g\\u0000@\ufffdr\ufffdv\\u0000\ufffd\\u0000\ufffd\\u0000l\\u0000\ufffd\ufffd\\n\ufffd\\u0014\\u00009\\u00008\\u0000\ufffd\\u0000\ufffd\ufffd\\u0019\\u0000:\\u0000\ufffd\ufffd\\t\ufffd\\u0013\\u00003\\u00002\\u0000\ufffd\\u0000\ufffd\\u0000E\\u0000D\ufffd\\u0018\\u00004\\u0000\ufffd\\u0000F\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\\u0000=\\u0000\ufffd\\u0000\u003C\\u0000\ufffd\\u00005\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001\ufffd\\u0001\\u0000\\u0001\ufffd\\u0003\\u0003\ufffd9\ufffd6\u0172\\u0019z\ufffd\ufffd\\u0013\ufffd[\ufffd\ufffde\ufffd\ufffd\ufffdy\\u0000\ufffd\\u0002r\\u0015\\u0013I3\/\ufffd\\u0004 \ufffd\ufffd\ufffd6\ufffd_\ufffd=r\\n\ufffd\u04bcj\ufffd[\ufffd\\\\\\u001a\\u001c\ufffd\ufffd\ufffdHN\\u0015\\u000b\ufffd\/\ufffd\ufffd\ufffd\\u0000\ufffd\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0013\\u0004\\u0013\\u0005\ufffd,\ufffd0\\u0000\ufffd\\u0000\ufffd\u0329\u0328\u032a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffda\ufffdW\ufffdS\\u0000\ufffd\ufffd+\ufffd\/\\u0000\ufffd\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b96c11776e1dbb9c926a835b1c6f724be0a82d2e\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":431},{"id":8390023,"ip":"187.17.228.218","ts":"2026-06-06 13:16:26.000000","proto":"tcp","src_port":62477,"dst_port":5038,"service":"http","classification":"config_file_probe","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022dst_port\u0022: 5038, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222be0874cecdbeb134042563160d049023cd26794\u0022, \u0022event_fingerprint\u0022: \u0022999c9fe90ba5ff6a46e4991c1decf1856a2abf86\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Generic config.php\u0022, \u0022ES admin GET\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0118\u0022, \u0022pat-0341\u0022, \u0022pat-0606\u0022], \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022BR\u0022, \u0022asn\u0022: 28267, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002263279522febcf5538b72996c16a8660f\u0022, \u0022payload_hash\u0022: \u00220b0c3190d88f62a32793d470bac0077c\u0022, \u0022path_pattern_hash\u0022: \u00227bb92ff73e997d70f080d1bb140deb9a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5038, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/admin\/config.php\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/admin\/config.php HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.3.50.33\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/admin\/config.php HTTP\/1.0\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\r\\nAccept: *\/*\\r\\nHost: 62.\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002217666e1e1cc14ef685f7a4ae67c8891bcb2cf372\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7930993,"ip":"187.17.228.218","ts":"2026-05-29 09:47:22.000000","proto":"tcp","src_port":63325,"dst_port":2087,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022cfa9452728ceefbaef5ba6b2601437a31ed1ee78\u0022, \u0022event_fingerprint\u0022: \u0022591d1d556ef8441274a41d51a6ea93223e0688cb\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7930696,"ip":"187.17.228.218","ts":"2026-05-29 09:39:05.000000","proto":"tcp","src_port":63325,"dst_port":5038,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022f443fd163a06301df1b1445a4c92eae454852c16\u0022, \u0022event_fingerprint\u0022: \u0022c5207f380cb5c609fd9c1355fee07e45aeefbe6d\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7929410,"ip":"187.17.228.218","ts":"2026-05-29 09:06:03.000000","proto":"tcp","src_port":63828,"dst_port":5038,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.845422381606238, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00221b6b081acb33275a28948a35868f9a254a389895\u0022, \u0022event_fingerprint\u0022: \u002207639ed5a166b5a75852e9c4e931b1a3ab72aee3\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7929093,"ip":"187.17.228.218","ts":"2026-05-29 08:58:39.000000","proto":"tcp","src_port":63325,"dst_port":2086,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00221e61fdcaa7667cb11e1aabaa63a181e70bdbb0e2\u0022, \u0022event_fingerprint\u0022: \u00229971cab2ab537e4ab85d31062bf99a32001a882f\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7928965,"ip":"187.17.228.218","ts":"2026-05-29 08:53:53.000000","proto":"tcp","src_port":63828,"dst_port":2086,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.844134735019901, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022c1bfa3ec8112f0048aa27bb5b61b0ab6db2f06e0\u0022, \u0022event_fingerprint\u0022: \u00228ab0dc376f91e9ede4efc546810baa23dae24976\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7928895,"ip":"187.17.228.218","ts":"2026-05-29 08:51:12.000000","proto":"tcp","src_port":63828,"dst_port":2087,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.767355373094555, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b5743cfb75853cf1e83e77fde101dbbdf9f38dd2\u0022, \u0022event_fingerprint\u0022: \u0022f126252052ce10628d986b7abc7a3e590bdfe910\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7460156,"ip":"187.17.228.218","ts":"2026-05-21 16:05:04.000000","proto":"tcp","src_port":61431,"dst_port":2086,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.877407878643768, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022c1bfa3ec8112f0048aa27bb5b61b0ab6db2f06e0\u0022, \u0022event_fingerprint\u0022: \u00228ab0dc376f91e9ede4efc546810baa23dae24976\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7459819,"ip":"187.17.228.218","ts":"2026-05-21 15:53:19.000000","proto":"tcp","src_port":60587,"dst_port":2087,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022cfa9452728ceefbaef5ba6b2601437a31ed1ee78\u0022, \u0022event_fingerprint\u0022: \u0022591d1d556ef8441274a41d51a6ea93223e0688cb\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7459762,"ip":"187.17.228.218","ts":"2026-05-21 15:51:17.000000","proto":"tcp","src_port":61431,"dst_port":5038,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.862276413048903, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u00221b6b081acb33275a28948a35868f9a254a389895\u0022, \u0022event_fingerprint\u0022: \u002207639ed5a166b5a75852e9c4e931b1a3ab72aee3\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7459010,"ip":"187.17.228.218","ts":"2026-05-21 15:18:16.000000","proto":"tcp","src_port":60587,"dst_port":2086,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u00221e61fdcaa7667cb11e1aabaa63a181e70bdbb0e2\u0022, \u0022event_fingerprint\u0022: \u00229971cab2ab537e4ab85d31062bf99a32001a882f\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139},{"id":7458989,"ip":"187.17.228.218","ts":"2026-05-21 15:17:12.000000","proto":"tcp","src_port":61431,"dst_port":2087,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022effe96911320528dfdfdba040c9e915b\u0022, \u0022tls_sni\u0022: null, \u0022bytes_in\u0022: 431, \u0022payload_entropy\u0022: 5.8331366805073515, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 33, \u0022campaign_key\u0022: \u0022b5743cfb75853cf1e83e77fde101dbbdf9f38dd2\u0022, \u0022event_fingerprint\u0022: \u0022f126252052ce10628d986b7abc7a3e590bdfe910\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]}","tls_sni":null,"tls_ja3_hash":"effe96911320528dfdfdba040c9e915b","tls_ja3":"771,4865-4866-4867-4868-4869-49196-49200-163-159-52393-52392-52394-49327-49325-49315-49311-49245-49249-49239-49235-167-49195-49199-162-158-49326-49324-49314-49310-49244-49248-49238-49234-166-49188-49192-107-106-49267-49271-196-195-109-197-49187-49191-103-64-49266-49270-190-189-108-191-49162-49172-57-56-136-135-49177-58-137-49161-49171-51-50-154-153-69-68-49176-52-155-70-157-49313-49309-49233-156-49312-49308-49232-61-192-60-186-53-132-47-150-65-7-49158-49168-49173-59-2-1-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022]","anomalies":"[]","severity":2,"bytes_in":431},{"id":7458622,"ip":"187.17.228.218","ts":"2026-05-21 15:00:34.000000","proto":"tcp","src_port":60587,"dst_port":5038,"service":"http","classification":"web_attack","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/admin\/config.php","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022php\u0022, \u0022http_ua_hash\u0022: \u00225002ada1c05fac60ce2af638d5f54066641d121c\u0022, \u0022http_host_hash\u0022: \u00220991dad1e85d945fa26d249d6238901b89cb8349\u0022, \u0022http_target_hash\u0022: \u0022d56b1a05959828284b2f82de68035f0901a81dcd\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 139, \u0022payload_entropy\u0022: 5.27991234142951, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022LANTEC COMUNICACAO MULTIMIDIA LTDA\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 28267, \u0022country\u0022: \u0022BR\u0022, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022f443fd163a06301df1b1445a4c92eae454852c16\u0022, \u0022event_fingerprint\u0022: \u0022c5207f380cb5c609fd9c1355fee07e45aeefbe6d\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"62.3.50.33","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_probe_admin\u0022, \u0022http_sensitive_path\u0022]","anomalies":"[]","severity":9,"bytes_in":139}],"total_events":24}