Renseignement sur les menaces

Allemagne

188.166.164.91

FAI DigitalOcean, LLC Première vue 18/06/2026 18:56 UTC Dernière vue 18/06/2026 18:56 UTC Risque Élevé

Période analysée : 2026-05-20 → 2026-06-19

Activité suspecte · risque 35/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 84/100 Élevé

Première observation 18/06/2026 18:56 UTC

Dernière observation 18/06/2026 18:56 UTC

Événements (période) 8

MITRE ATT&CK principal TA0007 5 occurrences

Activité suspecte · risque 35/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Tags WAF: sap-sapcontrol-path · confiance 61%

Confiance 69 % — Score WAF 20 · Bonus corrélation +8 · 1 tag(s) WAF

Comparaison ASN / FAI

ASN 14061 · 188.166.160.0/21 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 8 événements sur la période pour cette IP.

147.182.202.179 Sonde PostgreSQL 19/06/2026 19:58 UTC
164.92.106.15 Sonde port 19/06/2026 19:56 UTC
159.89.51.95 Sonde fichier configuration 19/06/2026 19:56 UTC
192.241.143.35 Sonde SAP Diag/GUI 19/06/2026 19:56 UTC
157.230.187.192 Sonde PostgreSQL 19/06/2026 19:56 UTC
174.138.41.162 Sonde port 19/06/2026 19:56 UTC
209.38.70.156 Cross-site scripting 19/06/2026 19:56 UTC
159.89.124.112 Sonde port 19/06/2026 19:55 UTC

Événements (filtres)

Première observation

18/06/2026 18:56 UTC

Dernière observation

18/06/2026 18:56 UTC

Dernière activité (filtres)

18/06/2026 18:56 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Géolocalisation

Origine réseau déclarée

Allemagne unknown unknown

FAI / réseau

Opérateur et dernière activité ban

DigitalOcean, LLC 0 Port 18789 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

http · via HTTP:18789 · (sonde / probe)

Détails protocole

Méthode: GET
Chemin: /

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33

Port / service

18789 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 61 % — Score WAF 20 · 1 tag(s) WAF

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Confiance

69% Corrélation +8

Famille de menace

unknown

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

8 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

8 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 18:56:33 UTC	TCP	18789	—	Sonde port Sonde port · port 18789 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 18789 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 4, "payload_entropy": 1, "port_category": "registered", "org": "DigitalOcean, LLC", "service": null, "app_proto": null, "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "722bac193906feb59c6ac0dc2f0b8180c5371669", "event_fingerprint": "3faab7243651a289d29bae1a3c706427cf008648", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dba5166ad9db9ba648c1032ebbd34dcd", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 18789, "risk_score": 44 }, "payload_preview": "\r\n\r\n", "request_sample": "\r\n\r\n", "evidence": { "request_sample": "\r\n\r\n", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d786403467b3be07ebc89821760566bb3769d8b0", "protocol_details": { "port": 18789 }, "attack_vector": "Sonde port \u00b7 port 18789 \u00b7 (sonde \/ probe)", "target_port_label": "18789", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 18789 }, "attack_vector": "Sonde port \u00b7 port 18789 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "18789", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	http http · via HTTP:18789 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18789 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 61% Confiance classification 69% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 61 % — Score WAF 20 · 1 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.0 Meta JSON brut { "http_header_count": 0, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 18, "payload_entropy": 3.461320140211008, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 20, "risk_classification": 8, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ed5d30d0323702d68576e749ff5abdb34ad175f1", "event_fingerprint": "a989251301143bd1febf488a292ce1d0bc5d6388", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6ec63b40bcbc26b71deda762dfd844f0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/ HTTP\/1.0\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.0", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%" }, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.69, "classification_confidence": 0.69, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "060e4bb9fac43b95ce43fcd34451ccb1f65eb96c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.0", "attack_vector": "http \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe)", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 69, "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.0", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua" ], "asn_dc_heuristic": true }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	SSRF ssrf attack · via HTTP:18789 · (tentative d'exploit) · → /odinhttpcall1781809003	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /odinhttpcall1781809003 UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /odinhttpcall1781809003 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18789 Chemin / cible /odinhttpcall1781809003 Service HTTP Pourquoi cette classification : Règle WAF « ssrf-3 » · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /odinhttpcall1781809003 HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /odinhttpcall1781809003 HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.co Requête brute (extrait) GET /odinhttpcall1781809003 HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connection: close Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c", "http_host_hash": "473c9614888ff9827a98bf7fad6203e6de73b3a4", "http_target_hash": "eede735f87726b535b22b207d8a0e9619b070520", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 154, "payload_entropy": 5.146507610529925, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 84, "risk_classification": 84, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f57fe193d642bed89edd290b38e09ec0314f4e41", "event_fingerprint": "131ffdbc744df560b57cad80f2da324cdfc818d5", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f", "payload_hash": "58d83dfde8285c83186c69a1bd61faca", "path_pattern_hash": "b3321d0a44561408cbe24bafe56bbe80" }, "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.co", "method": "GET", "path": "\/odinhttpcall1781809003", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/odinhttpcall1781809003 HTTP\/1.1", "request_sample": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.co", "evidence": { "method": "GET", "path": "\/odinhttpcall1781809003", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/odinhttpcall1781809003 HTTP\/1.1", "request_sample": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.co", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9c114af803cce9309daa6cd4b6467930e6611cb", "protocol_details": { "http_method": "GET", "http_path": "\/odinhttpcall1781809003", "request_line": "GET \/odinhttpcall1781809003 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.co", "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/odinhttpcall1781809003", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/odinhttpcall1781809003", "request_line": "GET \/odinhttpcall1781809003 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/odinhttpcall1781809003", "evidence_snippet": "GET \/odinhttpcall1781809003 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.co", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	SSRF ssrf attack · via HTTP:18789 · (tentative d'exploit) · → /sdk	Élevée	Élevé · 84
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE T1090 TA0001 TA0002 Protocole POST /sdk UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Émulateur HTTP WAF 45 Recommandation Investiguer Tags 950079:sqli-19 950326:rce-0 950327:rce-0 950406:ssrf-3 Cible HTTP POST /sdk TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 18789 Chemin / cible /sdk Service HTTP Pourquoi cette classification : Règle WAF « ssrf-3 » · Motif SSRF · confiance 100% Confiance classification 100% Corrélation +8 Risque capteur Élevé · 84 Confiance : Confiance 100 % — 7 tag(s) WAF Signaux Http Ssrf Upstream Waf Score Technique MITRE T1090 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL CRS 941130 LFI Double-dot bypass Ligne de requête `POST /sdk HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Règles WAF sqli-19 rce-0 ssrf-3 nosqli-3 Payload (extrait) POST /sdk HTTP/1.1 Content-Length: 441 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin Requête brute (extrait) POST /sdk HTTP/1.1 Content-Length: 441 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connection: close <soap:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSc Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c", "http_host_hash": "473c9614888ff9827a98bf7fad6203e6de73b3a4", "http_target_hash": "5e2a035222ca1432dd7a4c0062da7711ee276c61", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 598, "payload_entropy": 5.303994434825632, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 100, "risk_classification": 84, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 15, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 84, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 84, "tag_count": 9, "anomaly_count": 0, "campaign_key": "3f564486493a1cc0536e8d4e90876cdb005227e8", "event_fingerprint": "7136c11e29ec4d3a0f914899b38f2d94d5930b4c", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 110, "precision_signals": [ "INT-http_ssrf", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-http_ssrf", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0842", "pat-0284", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "CRS 941130", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0284", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 84, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 84, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f", "payload_hash": "80a8fa451f7f671162d8253529da67ea", "path_pattern_hash": "b91a94364e548eac8280a672094b6c64" }, "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 84 }, "payload_preview": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin", "method": "POST", "path": "\/sdk", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950079:sqli-19", "950326:rce-0", "950327:rce-0", "950406:ssrf-3", "950407:ssrf-3", "950470:nosqli-3", "950471:nosqli-3" ], "waf_rule_names": [ "sqli-19", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "POST \/sdk HTTP\/1.1", "request_sample": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n<soap:Envelope xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSc", "payload_snippet": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin", "evidence": { "method": "POST", "path": "\/sdk", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950079:sqli-19", "950326:rce-0", "950327:rce-0", "950406:ssrf-3", "950407:ssrf-3", "950470:nosqli-3", "950471:nosqli-3" ], "waf_rule_names": [ "sqli-19", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "POST \/sdk HTTP\/1.1", "request_sample": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n<soap:Envelope xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSc", "payload_snippet": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1090" ], "mitre": "T1090", "threat_family": [ "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "80add282c14c0a76bb9d77b09ef6cb43ca264b07", "protocol_details": { "http_method": "POST", "http_path": "\/sdk", "request_line": "POST \/sdk HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin", "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sdk", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 7 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%", "classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 Motif SSRF \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 84\/100 (\u00c9lev\u00e9) \u2014 MITRE T1090 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 84, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 84, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 84, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "INT-http_ssrf", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Http Ssrf", "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1090", "mitre_technique": "T1090", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "POST", "http_path": "\/sdk", "request_line": "POST \/sdk HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sdk", "evidence_snippet": "POST \/sdk HTTP\/1.1\r\nContent-Length: 441\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 7 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 7 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950079:sqli-19", "950326:rce-0", "950327:rce-0", "950406:ssrf-3", "950407:ssrf-3", "950470:nosqli-3", "950471:nosqli-3", "http_jwt_body", "http_ssrf_body" ], "asn_dc_heuristic": true }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	SSRF ssrf attack · via HTTP:18789 · (tentative d'exploit) · → /HNAP1	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET /HNAP1 UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Émulateur HTTP WAF 19 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950470:nosqli-3 iot_http_endpoint Cible HTTP GET /HNAP1 TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18789 Chemin / cible /HNAP1 Service HTTP Pourquoi cette classification : Règle WAF « ssrf-3 » · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 50 % — 3 tag(s) WAF Signaux Upstream Waf Score Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /HNAP1 HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /HNAP1 HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connection: Requête brute (extrait) GET /HNAP1 HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connection: close Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c", "http_host_hash": "473c9614888ff9827a98bf7fad6203e6de73b3a4", "http_target_hash": "92c22322858be108c9b5ebcfd6f2c3cb5ceee211", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 137, "payload_entropy": 5.17803929617189, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 84, "risk_classification": 84, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "304d38b651f937d1d16cfbdf0d5eb17d455d388b", "event_fingerprint": "f248cecf8ef8de6a98df59a64ad8928c54883ae3", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "confidence": 0.58, "classification_confidence": 0.58, "precision_score": 55, "precision_signals": [ "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f", "payload_hash": "ff1860f411f8cb5644f749a895d6edbc", "path_pattern_hash": "6fce0d6d2998b47f09e54396e5a34d07" }, "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: ", "method": "GET", "path": "\/HNAP1", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/HNAP1 HTTP\/1.1", "request_sample": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection:", "evidence": { "method": "GET", "path": "\/HNAP1", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/HNAP1 HTTP\/1.1", "request_sample": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection:", "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7336eba5af58f5095aed871f5f0877903f6b16ca", "protocol_details": { "http_method": "GET", "http_path": "\/HNAP1", "request_line": "GET \/HNAP1 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection:", "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/HNAP1", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 84, "classification": 84, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Upstream", "Waf Score" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/HNAP1", "request_line": "GET \/HNAP1 HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "ssrf attack \u00b7 via HTTP:18789 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/HNAP1", "evidence_snippet": "GET \/HNAP1 HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection:", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "iot_http_endpoint" ], "asn_dc_heuristic": true }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	Scan vulnérabilités scanner vuln · via HTTP:18789 · (sonde / probe) · → /evox/about	Élevée	Moyen · 56
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET /evox/about UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Émulateur HTTP WAF 25 Recommandation Investiguer Tags 950326:rce-0 950406:ssrf-3 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /evox/about TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18789 Chemin / cible /evox/about Service HTTP Pourquoi cette classification : Type « scanner_vuln » (signaux protocolaires) · confiance 46% Confiance classification 54% Corrélation +8 Risque capteur Moyen · 56 Confiance : Confiance 46 % — Motif catalogue confirmé · 4 tag(s) WAF Signaux pat-0255 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass Probe /evox/about Ligne de requête `GET /evox/about HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Règles WAF rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /evox/about HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connect Requête brute (extrait) GET /evox/about HTTP/1.1 Host: 62.3.50.33:18789 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Connection: close Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": null, "http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c", "http_host_hash": "473c9614888ff9827a98bf7fad6203e6de73b3a4", "http_target_hash": "9e931bb53b054c2fff95daa013fecdd4ca2a01a2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 142, "payload_entropy": 5.1782664397160545, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 100, "risk_classification": 60, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 60, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ffaf4893b7dda1835bd2cb9c84786878bec50b93", "event_fingerprint": "274a5c0642299cc0edcc059645f204f3973db0a2", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "confidence": 0.54, "classification_confidence": 0.54, "precision_score": 55, "precision_signals": [ "pat-0255" ], "kb_rule_ids": [ "pat-0255" ], "matched_patterns": [ "pat-0103", "pat-0255" ], "matched_pattern_names": [ "LFI Double-dot bypass", "Probe \/evox\/about" ], "pattern_ids": [ "pat-0103", "pat-0255" ], "confidence_breakdown": { "waf": 100, "classification": 60, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "named_classification_skipped": false, "classification_parent": "vuln_scanner", "service_name": "http", "risk_confidence_factor": 46, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f", "payload_hash": "3b76319c9bbf4f1a2c3b6561c043f242", "path_pattern_hash": "6c06e7a5a57aea56adce71b0743fb577" }, "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnect", "method": "GET", "path": "\/evox\/about", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/evox\/about HTTP\/1.1", "request_sample": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnect", "evidence": { "method": "GET", "path": "\/evox\/about", "user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "waf_tags": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/evox\/about HTTP\/1.1", "request_sample": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnect", "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "939180b026342a6796127481949125c7f7b62ff4", "protocol_details": { "http_method": "GET", "http_path": "\/evox\/about", "request_line": "GET \/evox\/about HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnect", "attack_vector": "scanner vuln \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/evox\/about", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "classification_reason_label_fr": "Type \u00ab scanner_vuln \u00bb (signaux protocolaires) \u00b7 confiance 46%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 54 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 54, "confidence_breakdown": { "waf": 100, "classification": 60, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 56, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "pat-0255" ], "tags_summary_labels_fr": [ "pat-0255" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/evox\/about", "request_line": "GET \/evox\/about HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "scanner vuln \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/evox\/about", "evidence_snippet": "GET \/evox\/about HTTP\/1.1\r\nHost: 62.3.50.33:18789\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nConnect", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 46 % \u2014 Motif catalogue confirm\u00e9 \u00b7 4 tag(s) WAF", "confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950406:ssrf-3", "950468:nosqli-3", "950470:nosqli-3" ], "asn_dc_heuristic": true }
18/06/2026 18:56:33 UTC	TCP	18789 · HTTP	http	http http · via HTTP:18789 · (sonde / probe)	Faible	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / Émulateur HTTP WAF 3 Recommandation Surveiller Tags 950734:sap-sapcontrol-path http_no_ua Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18789 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 61% Confiance classification 69% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 61 % — Score WAF 20 · 1 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent — Règles WAF sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33 Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 36, "payload_entropy": 4.120635070586275, "port_category": "registered", "org": "DigitalOcean, LLC", "service": "http", "app_proto": "http", "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 20, "risk_classification": 8, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.2, "risk_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0 }, "risk_score": 35, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ed5d30d0323702d68576e749ff5abdb34ad175f1", "event_fingerprint": "a989251301143bd1febf488a292ce1d0bc5d6388", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ef68cc3998909dc24cb027bb8e373e0a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "service_name": "http", "target_context": { "dst_port": 18789, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\n\r\n", "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33", "evidence": { "method": "GET", "path": "\/", "waf_tags": [ "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33", "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%" }, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "confidence": 0.69, "classification_confidence": 0.69, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aafb88338a4205d344bcfbc22600778eb64ac151", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33", "attack_vector": "http \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe)", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 69, "confidence_breakdown": { "waf": 20, "classification": 8, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 0, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18789, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "port": 18789, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http \u00b7 via HTTP:18789 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33", "target_port_label": "18789 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF", "confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18789" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "http_no_ua" ], "asn_dc_heuristic": true }
18/06/2026 18:56:29 UTC	TCP	18789	—	Sonde port Sonde port · port 18789 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 18789 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "DigitalOcean, LLC", "service": null, "app_proto": null, "asn": 14061, "country": "DE", "dst_port": 18789, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.5, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "722bac193906feb59c6ac0dc2f0b8180c5371669", "event_fingerprint": "3faab7243651a289d29bae1a3c706427cf008648", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "DE", "asn": 14061, "org": "DigitalOcean, LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 18789, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "417633b142f27b3f27ad8ab6ca42c5267db5c216", "protocol_details": { "port": 18789 }, "attack_vector": "Sonde port \u00b7 port 18789 \u00b7 (sonde \/ probe)", "target_port_label": "18789", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 18789, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 18789 }, "attack_vector": "Sonde port \u00b7 port 18789 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "18789", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "18789" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

188.166.164.91

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

188.166.164.91

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence