Renseignement sur les menaces

Royaume-Uni

193.176.29.27

FAI Hydra Communications Ltd Première vue 25/04/2026 15:31 UTC Dernière vue 17/06/2026 06:01 UTC Risque Critique

Période analysée : 2026-05-18 → 2026-06-17

Activité suspecte · risque 47/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 25/04/2026 15:31 UTC

Dernière observation 17/06/2026 06:01 UTC

Événements (période) 79

MITRE ATT&CK principal TA0001 8 occurrences

Activité suspecte · risque 47/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « rtsp_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 8

Comparaison ASN / FAI

ASN 25369 · 193.176.28.0/22 · RIPENCC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 79 événements sur la période pour cette IP.

188.240.59.18 Traversal LFI 17/06/2026 07:06 UTC
89.37.172.132 Traversal LFI 17/06/2026 07:06 UTC
81.19.219.216 Sonde HTTP smuggling 17/06/2026 07:06 UTC
194.50.235.141 Traversal LFI 17/06/2026 07:06 UTC
188.240.59.15 Sonde HTTP smuggling 17/06/2026 07:06 UTC
194.50.235.148 Traversal LFI 17/06/2026 07:05 UTC
31.14.254.82 Traversal LFI 17/06/2026 07:05 UTC
195.140.214.20 Traversal LFI 17/06/2026 07:05 UTC

Événements (filtres)

Première observation

25/04/2026 15:31 UTC

Dernière observation

17/06/2026 06:01 UTC

Dernière activité (filtres)

17/06/2026 06:01 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 40 TLS TCP 21 RTSP ALT TCP 2 MQTT TCP 1 NETBIOS SSN TCP 1 CASSANDRA JMX TCP 1 SOCKS TCP 1 CLOUDFLARE TUNNEL TCP 1 VMWARE AUTH TCP 1

HTTP

TLS

RTSP ALT

MQTT

NETBIOS SSN

CASSANDRA JMX

Géolocalisation

Origine réseau déclarée

Royaume-Uni unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Hydra Communications Ltd 82 Port 8554 rtsp_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

rtsp probe · via RTSP ALT:8554 · (sonde / probe)

Détails protocole

Aperçu payload

OPTIONS * RTSP/1.0 CSeq: 1 User-Agent: VLC/3.0.20

Port / service

8554 · RTSP ALT

Service émulé

RTSP-ALT

Raison confiance

Confiance 95 % — Motif catalogue confirmé

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

pat-0382 Upstream

Confiance

95%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

79 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

79 événement(s) — page 1/2

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 06:01:17 UTC	TCP	8554 · RTSP ALT	rtsp-alt	Sonde RTSP rtsp probe · via RTSP ALT:8554 · (sonde / probe)	Élevée	Moyen · 47
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP-ALT WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8554 Chemin / cible — Service RTSP ALT Payload OPTIONS * RTSP/1.0 CSeq: 1 User-Agent: VLC/3.0.20 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 47 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RTSP protocol HTTP OPTIONS method User-Agent — Règles WAF — Payload (extrait) OPTIONS * RTSP/1.0 CSeq: 1 User-Agent: VLC/3.0.20 Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 55, "payload_entropy": 4.744640622458224, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "rtsp-alt", "app_proto": "rtsp-alt", "asn": 25369, "country": "GB", "dst_port": 8554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5049ad9e8ce50e4704e2a0f7def474f244a0ffe8", "event_fingerprint": "dda900f8f0700ffe1f2b62a0cdf29556ed40edf9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0382", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "INT-upstream" ], "matched_patterns": [ "pat-0382", "pat-0420" ], "matched_pattern_names": [ "RTSP protocol", "HTTP OPTIONS method" ], "pattern_ids": [ "pat-0382", "pat-0420" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "rtsp-alt", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "32203f4e50ae1850bc7b94eb02fa8960", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 8554, "service": "rtsp-alt", "service_name": "rtsp-alt", "risk_score": 47 }, "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "request_sample": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "payload_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "evidence": { "request_sample": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "payload_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d7cdc20bce68035bac7cf9b1783324d178605f7", "protocol_details": { "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "evidence_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "attack_vector": "rtsp probe \u00b7 via RTSP ALT:8554 \u00b7 (sonde \/ probe)", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 47 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 47, "risk_label": "Moyen", "service_name": "rtsp-alt", "service_label_fr": "RTSP ALT", "dst_port": 8554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp-alt", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "attack_vector": "rtsp probe \u00b7 via RTSP ALT:8554 \u00b7 (sonde \/ probe)", "evidence_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp_alt", "service_banner": "honeypot-rtsp-alt", "service_os": "linux", "dst_port": "8554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
16/06/2026 23:03:52 UTC	TCP	5038 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5038 · (tentative d'exploit) · → /sse	Élevée	Moyen · 57
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /sse UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /sse TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5038 Chemin / cible /sse Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 57 Confiance : Confiance 59 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /sse HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:5038 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:5038 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "7b5a9214aef363a20d84e4b67c2b7429e136c756", "http_target_hash": "a86b90c44ea188f3d86201cc14f47bf56d184d49", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 190, "payload_entropy": 5.152727055684007, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 5038, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ad41b4cb2a76d522ad032daf81fe13053cbe2f98", "event_fingerprint": "fe761efeaf2d2fbe192d78d56d80637d06ff2d66", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "7d636e3275b3cbc91533a1798a97f15d", "path_pattern_hash": "9c55a765acd7167a274de1a30a6df566" }, "target_context": { "dst_port": 5038, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "evidence": { "method": "GET", "path": "\/sse", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/sse HTTP\/1.1", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44ac0beb8c2641b715a832a53d7ebd99f9cd5912", "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 5038, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "attack_vector": "lfi path traversal \u00b7 via HTTP:5038 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "target_port_label": "5038 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 57 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5038, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sse", "request_line": "GET \/sse HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 5038, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5038 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/sse", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:5038\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "target_port_label": "5038 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5038" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
16/06/2026 16:47:57 UTC	TCP	5094 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:5094 · (tentative d'exploit)	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5094 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5094 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5094 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "ceda4710fbcc8053179f4553866b83e83dbedc9e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.2020557416630915, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 5094, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "368b7605d627874892264a330597cb3dc5d7561c", "event_fingerprint": "9ca756d4831878695df68107fa679050921eef7d", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "72c43c4a6c6728d2e7580748012fc781", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5094, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ea37dc72f32a7514ab26d1479ae1ab0ce9020866", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 5094, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:5094 \u00b7 (tentative d'exploit)", "target_port_label": "5094 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5094, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 5094, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:5094 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5094\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "5094 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5094" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
15/06/2026 17:44:09 UTC	TCP	8554 · RTSP ALT	rtsp-alt	Sonde RTSP rtsp probe · via RTSP ALT:8554 · (sonde / probe)	Élevée	Moyen · 47
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur RTSP-ALT WAF — Recommandation Surveiller Tags net_rtsp_probe rtsp_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8554 Chemin / cible — Service RTSP ALT Payload OPTIONS * RTSP/1.0 CSeq: 1 User-Agent: VLC/3.0.20 Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 47 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0382 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RTSP protocol HTTP OPTIONS method User-Agent — Règles WAF — Payload (extrait) OPTIONS * RTSP/1.0 CSeq: 1 User-Agent: VLC/3.0.20 Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 55, "payload_entropy": 4.744640622458224, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "rtsp-alt", "app_proto": "rtsp-alt", "asn": 25369, "country": "GB", "dst_port": 8554, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15 }, "risk_score": 47, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5049ad9e8ce50e4704e2a0f7def474f244a0ffe8", "event_fingerprint": "dda900f8f0700ffe1f2b62a0cdf29556ed40edf9", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0382", "INT-upstream" ], "kb_rule_ids": [ "pat-0382", "INT-upstream" ], "matched_patterns": [ "pat-0382", "pat-0420" ], "matched_pattern_names": [ "RTSP protocol", "HTTP OPTIONS method" ], "pattern_ids": [ "pat-0382", "pat-0420" ], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "rtsp-alt", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "32203f4e50ae1850bc7b94eb02fa8960", "path_pattern_hash": "b1dd2a100b4c2489a836875293183168" }, "target_context": { "dst_port": 8554, "service": "rtsp-alt", "service_name": "rtsp-alt", "risk_score": 47 }, "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "request_sample": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "payload_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "evidence": { "request_sample": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20\r\n\r\n", "payload_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d7cdc20bce68035bac7cf9b1783324d178605f7", "protocol_details": { "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "evidence_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "attack_vector": "rtsp probe \u00b7 via RTSP ALT:8554 \u00b7 (sonde \/ probe)", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 15, "risk_score": 47 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 47, "risk_label": "Moyen", "service_name": "rtsp-alt", "service_label_fr": "RTSP ALT", "dst_port": 8554, "protocol_emulated": true, "tags_summary": [ "pat-0382", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0382", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp-alt", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "payload_preview": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "attack_vector": "rtsp probe \u00b7 via RTSP ALT:8554 \u00b7 (sonde \/ probe)", "evidence_snippet": "OPTIONS * RTSP\/1.0\r\nCSeq: 1\r\nUser-Agent: VLC\/3.0.20", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp_alt", "service_banner": "honeypot-rtsp-alt", "service_os": "linux", "dst_port": "8554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "net_rtsp_probe", "rtsp_probe" ] }
15/06/2026 16:49:52 UTC	TCP	2053 · CLOUDFLARE TUNNEL	cloudflare-tunnel	Botnet Mozi mozi pattern · via CLOUDFLARE TUNNEL:2053 · (commande & contrôle)	Élevée	Faible · 36
Étape Commande & contrôle Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné Multi-protocole corrélé (5 min) MITRE TA0011 TA0011 Protocole Émulateur CLOUDFLARE-TUNNEL WAF — Recommandation Surveiller Tags cloudflare_tunnel_emulated cloudflare_tunnel_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2053 Chemin / cible — Service CLOUDFLARE TUNNEL Payload GET /sse HTTP/1.1 Host: 62.3.50.33:2053 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0% Confiance classification 18% Corrélation +18 Risque capteur Faible · 36 Confiance : Confiance 0 % — 5 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0011 Tactiques MITRE TA0011 Motifs de détection (base) LFI Double-dot bypass User-Agent — Règles WAF — Payload (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:2053 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: t Requête brute (extrait) GET /sse HTTP/1.1 Host: 62.3.50.33:2053 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: text/event-stream Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a5365727665723a20636c6f7564666c6172650d0a436f6e74656e742d4c656e6774683a20300d0a0d0a", "emulator_response_len": 65, "bytes_in": 190, "payload_entropy": 5.142200739894534, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "cloudflare-tunnel", "app_proto": "cloudflare-tunnel", "asn": 25369, "country": "GB", "dst_port": 2053, "risk_waf": 8, "risk_classification": 82, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 36, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5004ba207ce4d8d47204e0994c4d5fbe107e9847", "event_fingerprint": "ecf61e9accc2dacac55d45c01f6f6a64e26c6ab4", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.18, "classification_confidence": 0.18, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 36, "correlation_boost": 18 }, "named_classification_skipped": false, "service_name": "cloudflare-tunnel", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "dd5ac660ec805ecc1b537fae6003530c", "path_pattern_hash": "762d384fab941f6d0c2239f19994f30e" }, "target_context": { "dst_port": 2053, "service": "cloudflare-tunnel", "service_name": "cloudflare-tunnel", "risk_score": 36 }, "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "evidence": { "request_sample": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: text\/event-stream\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "c2", "mitre_tactics": [ "TA0011" ], "mitre": "TA0011", "threat_family": [ "botnet" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c3cb719e85ec710b7e2b1a8e5b3586d378771a5b", "protocol_details": { "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "port": 2053, "service": "cloudflare-tunnel", "service_label_fr": "CLOUDFLARE TUNNEL" }, "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "attack_vector": "mozi pattern \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (commande & contr\u00f4le)", "target_port_label": "2053 \u00b7 CLOUDFLARE TUNNEL", "emulator_service": "cloudflare-tunnel", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 36\/100 (Faible) \u2014 MITRE TA0011 \u2014 confiance 18 % \u2014 via CLOUDFLARE TUNNEL \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 18, "confidence_breakdown": { "waf": 8, "classification": 82, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 36, "correlation_boost": 18 }, "attack_stage": "c2", "attack_stage_label": "Commande & contr\u00f4le", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 36, "risk_label": "Faible", "service_name": "cloudflare-tunnel", "service_label_fr": "CLOUDFLARE TUNNEL", "dst_port": 2053, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0011", "mitre_technique": "TA0011", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cloudflare-tunnel", "correlation_flags": [ "scan_coordonn\u00e9", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +18", "protocol_details": { "payload_preview": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "port": 2053, "service": "cloudflare-tunnel", "service_label_fr": "CLOUDFLARE TUNNEL" }, "attack_vector": "mozi pattern \u00b7 via CLOUDFLARE TUNNEL:2053 \u00b7 (commande & contr\u00f4le)", "evidence_snippet": "GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:2053\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: t", "target_port_label": "2053 \u00b7 CLOUDFLARE TUNNEL", "emulator_service": "cloudflare-tunnel", "confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 18 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (193.176.29.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": true, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cloudflare_tunnel", "service_banner": "honeypot-cloudflare-tunnel", "service_os": "linux", "dst_port": "2053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "cloudflare-tunnel", "http" ], "multi_protocol_window_s": 300, "coordinated_scan": true, "coordinated_subnet": "193.176.29.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 18, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cloudflare_tunnel_emulated", "cloudflare_tunnel_payload", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
15/06/2026 16:46:38 UTC	TCP	137 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:137 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 137 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 61 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:137 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-L Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:137 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Version Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "20cc1dadbc459a99d116f7f7b3a906a13fde02fb", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 446, "payload_entropy": 5.202892905513096, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 137, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "91ca2988cf18f3778fa48c2de31d898ee28114fe", "event_fingerprint": "1bb220256165319967ff535745ef6729d175fe21", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "8d4528b65849339fc94f979cf4e551d6", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 137, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Version", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0668bd30b56bd68198a8e2b1e08b636647ae8b66", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 137, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "attack_vector": "http smuggling probe \u00b7 via HTTP:137 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "137 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 137, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 137, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:137 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:137\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-L", "target_port_label": "137 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "137" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
15/06/2026 11:26:09 UTC	TCP	8080 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:8080 · (tentative d'exploit)	Élevée	Moyen · 58
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 58 Confiance : Confiance 59 % — 5 tag(s) WAF Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.185554279395616, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8080, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 58, "tag_count": 6, "anomaly_count": 0, "campaign_key": "102e155da1350427b4140664a0ef816be0b5e490", "event_fingerprint": "40b715f896d2b7fa6aa501f564ded6db17be3077", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 58 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "774ca542029a808a53f94be30014e993", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "89874045dd6489b2ee116c8d220c8b938a61d8f4", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 58 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 58, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
15/06/2026 10:49:52 UTC	TCP	6023 · HTTP	http	Sonde HTTP smuggling http smuggling probe · via HTTP:6023 · (tentative d'exploit) · → /mcp	Élevée	Moyen · 61
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole POST /mcp UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 34 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950383:rce-14 950406:ssrf-3 Cible HTTP POST /mcp TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 6023 Chemin / cible /mcp Service HTTP Pourquoi cette classification : Type « http_smuggling_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 61 Confiance : Confiance 95 % — Motif catalogue confirmé · 5 tag(s) WAF Signaux pat-0842 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL LFI Double-dot bypass Ligne de requête `POST /mcp HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 rce-14 ssrf-3 nosqli-3 Payload (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6023 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content- Requête brute (extrait) POST /mcp HTTP/1.1 Host: 62.3.50.33:6023 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Content-Length: 151 Accept: application/json, text/event-stream Connection: close Content-Type: application/json Mcp-Protocol-Versio Meta JSON brut { "http_header_count": 8, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "cf73ef155f5caca52e9aa85ac898924f6f9c1e5c", "http_target_hash": "b6dd5207698ea0722ea3c46de82524f56e66f110", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 447, "payload_entropy": 5.195554279567546, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6023, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0269b21f3fc76928840fcbd5f0b33138902029c6", "event_fingerprint": "fbd82d287a1fd4ab770a7643a96e9e7140399de0", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 84, "precision_signals": [ "pat-0842" ], "kb_rule_ids": [ "pat-0842" ], "matched_patterns": [ "pat-0842", "pat-0103" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0842", "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "86bfed23cc96c7a31f3e5d00124f1901", "path_pattern_hash": "88fe637beab867e285c088d60d6cc3b3" }, "target_context": { "dst_port": 6023, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "evidence": { "method": "POST", "path": "\/mcp", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "rce-14", "ssrf-3", "nosqli-3" ], "request_line": "POST \/mcp HTTP\/1.1", "request_sample": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-Length: 151\r\nAccept: application\/json, text\/event-stream\r\nConnection: close\r\nContent-Type: application\/json\r\nMcp-Protocol-Versio", "payload_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "web_injection" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e14d7f4b5bed158c94e5042727e84dc49acb8f9", "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6023, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "attack_vector": "http smuggling probe \u00b7 via HTTP:6023 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "target_port_label": "6023 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP", "confidence_pct": 95, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 61 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 61, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6023, "protocol_emulated": null, "tags_summary": [ "pat-0842" ], "tags_summary_labels_fr": [ "pat-0842" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/mcp", "request_line": "POST \/mcp HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6023, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "http smuggling probe \u00b7 via HTTP:6023 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/mcp", "evidence_snippet": "POST \/mcp HTTP\/1.1\r\nHost: 62.3.50.33:6023\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nContent-", "target_port_label": "6023 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6023" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950383:rce-14", "950406:ssrf-3", "950470:nosqli-3" ] }
13/06/2026 16:09:23 UTC	TCP	6051 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:6051 · (tentative d'exploit)	Élevée	Moyen · 56
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6051 Chemin / cible / Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 56 Confiance : Confiance 59 % — 5 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6051 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6051 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "95cdd489acdc004c9e7822e3442666c0c28b8549", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.171737172311436, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6051, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "568bcfb0b7fb7953b6bd4091e4859911e9750b15", "event_fingerprint": "a663ec907dd5451d1c1daf34fa14ea12f8d7ecaf", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "d5f907394bfdace30d9beeaa809ddb4a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6051, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd438b0ade826387191078c462bf5fca63a398bc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6051, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "attack_vector": "lfi path traversal \u00b7 via HTTP:6051 \u00b7 (tentative d'exploit)", "target_port_label": "6051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 56 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 6051, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 6051, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:6051 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6051\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "target_port_label": "6051 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 59 % \u2014 5 tag(s) WAF", "confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6051" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
09/06/2026 22:08:25 UTC	TCP	7200 · HTTP	http	Traversal LFI lfi path traversal · via HTTP:7200 · (tentative d'exploit) · → /favicon.ico	Élevée	Moyen · 55
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET /favicon.ico UA Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Émulateur HTTP WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7200 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 55 Confiance : Confiance 50 % — 4 tag(s) WAF Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7200 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:7200 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "08610173e3ebaeb138235b7f936552a9ff560cc0", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.175558884477883, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 7200, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e6f5ce9cc63fae3e3391f8f622dfa8ac3713ce4c", "event_fingerprint": "a400337a9a9bbd025fffbc3f9d6f35e613690443", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence": 0.5, "classification_confidence": 0.5, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "f80f83ea868d6c6d6e2ffc80e7af6dc4", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 7200, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0de277670c149c91d05c79c4d53f99d12aeef701", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7200, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "attack_vector": "lfi path traversal \u00b7 via HTTP:7200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "target_port_label": "7200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP", "confidence_pct": 50, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 55 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7200, "protocol_emulated": null, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "port": 7200, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "lfi path traversal \u00b7 via HTTP:7200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:7200\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "target_port_label": "7200 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
07/06/2026 14:25:53 UTC	TCP	7003 · HTTP	http	Traversal LFI	Élevée	Moyen · 60
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7003 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Risque capteur Moyen · 60 Protocole émulé 1 Signaux CRS-930100-sub Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 7003, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 60, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cf9349e375c565ee390e326b1306355f7ca1f8c2", "event_fingerprint": "e7ce94a77d59d9549d956fa854e9d5ee64f0aa98", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 60 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7003, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "813b93e75aebf5217d99d1b516effdc593ef6267", "site_display": { "classification": null, "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence_pct": 59, "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 60 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 60, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7003, "protocol_emulated": true, "tags_summary": [ "CRS-930100-sub" ], "tags_summary_labels_fr": [ "CRS-930100-sub" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
06/06/2026 21:08:36 UTC	TCP	7052 · HTTP	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7052 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7052 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7052 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "65ab8255dcfe970d70d196ce0ded446ff0837871", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.190495048021473, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 7052, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e3c21f168cb8b8701397501d5737658916540354", "event_fingerprint": "2821333a51e24bb179bd32c47788222c063faf57", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "confidence_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25, "risk_score": 57 }, "named_classification_skipped": false, "classification_parent": "path_traversal", "service_name": "http", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "402a5e4216815609577f2fc70f7d7c8a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7052, "service": "http", "service_name": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7052\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7052\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7052\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7052\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7052\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "76b8b1328b71d58534327e63ca4fcadc402e3c7e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7052" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 09:59:35 UTC	TCP	8983	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8983 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 8983, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "95048405e042c4de7d6d5aa525100a11bdd60127", "event_fingerprint": "a0576f93b43d54ff41666f71da851906666dc0b4", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8983, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a975252ae402f0a45ca9eb4ad2f11d7a6569afde", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 08:37:41 UTC	TCP	6007	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6007 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6007 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) A Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6007 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "ecb0a180a3e239001742d95e1797abc8f896a791", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 184, "payload_entropy": 5.1755588844778835, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6007, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2944ba6ce4f2e66a06061f9bfa529ebd865fd85e", "event_fingerprint": "fa7b2021624f008ac454757d9475d214476a0c47", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "aef03800bb02631770758a4c1b736a45", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6007, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6007\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6007\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6007\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6007\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6007\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nA", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9fa6ac253ad27eaf65d6a849167b20face87cd3f", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 06:18:34 UTC	TCP	5066	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5066 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5066 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:5066 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "16a12c17ff82d6e17ca0f5eafd5cb19fc5eec505", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.174570842806656, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 5066, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c7702ed75af222f00484883c789f9d7691a4fe53", "event_fingerprint": "0be9be7bbfa136677f400b84702e3df427c68632", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "6b558e0123e6a3819b4c6d1b07466d72", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5066, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5066\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5066\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5066\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5066\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5066\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dceb1482b3dc3a021169d6892dc3d44dce176e9f", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 05:59:45 UTC	TCP	6030	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6030 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6030 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6030 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "ecb7755f04ec81625c69a130ca8b07a3699c99ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.166796403685578, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 6030, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "c78e608309084db38436adec823129036276608f", "event_fingerprint": "0e89164656367f1a9619e2527becb456b4044732", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "fba963d5ebf849452af4de9d5e07556a", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6030, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6030\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6030\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6030\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6030\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6030\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2977285c9f92a048d03442d378fa4de53e92ef29", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 03:47:12 UTC	TCP	22910	http	Traversal LFI	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 22910 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:22910 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:22910 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "bf7be96f5f1e199c98cc67c84939779ca9d6e349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.193057561531052, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 22910, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "85e7f6d4a0c8f163eb49ad3e6c01faebfff37f93", "event_fingerprint": "fe815493c0d85950958fe3cf66770d37688a9355", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "d7e2db24015f3cfc3d7542f09672dad8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 22910, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22910\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22910\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22910\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22910\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:22910\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ee9d9ace9673d4507f53093bc25b00d7bdda13b0", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 03:33:30 UTC	TCP	26077	http	Traversal LFI	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26077 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:26077 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:26077 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "fccbc9212db118fa7567bf701e22c6f52f9defa8", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.19396024594267, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 26077, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "65941ceb5cd00244c6906a01491efdfd0ccece58", "event_fingerprint": "03e54a5ae8a0f1bfac74845ce0cfa74fe2b8fdaa", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "776b4808de171d2a8ccd6356fd181e03", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 26077, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26077\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26077\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26077\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26077\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26077\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6d7e2f2e8fe9710e090f8d8c06f7478be82cf64b", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
06/06/2026 02:08:44 UTC	TCP	30261	http	Traversal LFI	Élevée	Moyen · 55
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30261 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30261 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:30261 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "5db3c4b8f54d5ce86e5aa6de6b9232addcea28d8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.178745923624885, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 30261, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "b1eb00a688ce8052d04f4c55a78acd0c0907aa07", "event_fingerprint": "71733c4203cac8b738b9599049c569c9c3059268", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "5d8c382404f9ce628aa0b8e420971844", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 30261, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30261\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30261\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30261\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30261\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30261\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85fd8f58fc1ea6edb1be41c132e49be464fae7c8", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 00:31:09 UTC	TCP	6000	—	Sonde port	Faible	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6000 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 6000, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 17, "tag_count": 0, "anomaly_count": 0, "campaign_key": "5c8df6f4eabf9d7af3f3ecf6c7cf512e0b981324", "event_fingerprint": "ee4840953fa1cc900d65a98f0af258a8aa6cd646", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 6000 }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3f1dd0db410bf32fe11136bbd2649985b90af8fe", "ban_policy": "advisory_monitor" }
05/06/2026 23:19:14 UTC	TCP	3809	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3809 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 3809, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5e1b21d225fbbc68654113352bc07d55d0f9b2ad", "event_fingerprint": "946bfe81d6e17d598a873d83af674a913e41e94b", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3809, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b142a1f92a749d14ece09bdeb50af1e2c971c00", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 22:17:23 UTC	TCP	14346	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 14346 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:14346 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:14346 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "cc1758b0ea288b9e1a31eae377ab060252267f97", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.187229908116527, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 14346, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 58, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9d37ff1da650deede57ca9ec788dc13173bfcb18", "event_fingerprint": "0f81f9dfa8bc26f4c29f276f9e22c1690c599bde", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "fecc7dfa50ebbc143d26de1d86d6c760", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 14346, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:14346\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5e5f616de87ab7d0a79510e4ee812d96ff76d3e2", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 21:00:25 UTC	TCP	12972	http	Traversal LFI	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 12972 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:12972 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:12972 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "f95f4838184db477253a248075bd7b030c82e432", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.2006905837688135, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 12972, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cf1f20b61a52ef078e66fd73cff6bd3331bcbb39", "event_fingerprint": "32c571d36199c679851fdd870185888c2f221954", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "b252cdd1b9cadbe2975338b12a84a945", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 12972, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12972\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12972\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12972\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12972\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:12972\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "60bbcd16e2ff06a74f2bb0bc7195cf2e78bf4193", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 20:31:37 UTC	TCP	32115	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 32115 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:32115 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:32115 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "bfa2561b2a1ca250b3d3a13295eefcc9d1eb7c6d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.172312501333139, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 32115, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2e025ab589b12755182831ffade5b0fa7abf9247", "event_fingerprint": "3330ed23e4ed810583cf0effc5040ccebb6e7b51", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "584fca9af3335053661c379ccca44639", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 32115, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32115\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32115\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32115\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32115\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:32115\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b75d22407df065bf8160a55f28ae48f63684276a", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 19:24:59 UTC	TCP	11707	http	Traversal LFI	Élevée	Moyen · 58
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11707 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11707 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11707 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "71fef158f7f5e70bbf93d03137951d99ba574e55", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.188145188127183, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 11707, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ff696fa58f6df3002ff234f1aabc9b2c5f7e70e0", "event_fingerprint": "13e6f41338f66273c5a9a55ab1936dc5ed824c23", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "22a98ed39f5c4fdadcf162d55eef7ae1", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 11707, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11707\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e71d9103435e1962161bbf043cac81846785cfb", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 84 }
05/06/2026 17:39:11 UTC	TCP	24348	http	Traversal LFI	Élevée	Moyen · 57
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 24348 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 24348, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 57, "tag_count": 5, "anomaly_count": 0, "campaign_key": "610b358c30deb657cdf6d83e354e523dc015ca42", "event_fingerprint": "6cc66a21d5886fdb067756d2c034909f351a1410", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 24348, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f075d30018ff9edb9fac1ba2d3264c9747a41b5", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 11:14:39 UTC	TCP	22952	http	Traversal LFI	Élevée	Moyen · 56
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 27 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 22952 Chemin / cible /favicon.ico Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:22952 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:22952 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Accept-Encoding: gzip Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "711072ae7390d529cc17d3ef754e4168c1a1e442", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.185799299973335, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 22952, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "eb24ddf492a21a64018ec5aa76dc43f8be40872f", "event_fingerprint": "20a29866a3c4b024f0a6b4a5cac09089bfc4a9c6", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "1b81df86e79ac143c79fffb40a547349", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 22952, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22952\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22952\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22952\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22952\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:22952\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "32904000733fffea3a5980760f6cce8110328120", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3" ] }
05/06/2026 04:37:39 UTC	TCP	7000	cassandra-jmx	cassandra probe	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags cassandra_emulated mongodb_user_exposed mongodb_version mongodb_version_0.66.0 Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Pourquoi cette classification : Type « cassandra_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) \�ox{"version":"0.66.0","hostname":"ubuntu","os":"linux","arch":"amd64","user":"frpc","timestamp":1 Requête brute (extrait) \�ox{"version":"0.66.0","hostname":"ubuntu","os":"linux","arch":"amd64","user":"frpc","timestamp":1780634267,"pool_count":1} Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 153, "payload_entropy": 4.538981727754499, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 25369, "country": "GB", "dst_port": 7000, "risk_waf": 8, "risk_classification": 55, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 55, "behavior": 0, "geo": 0, "protocol": 30, "novelty": 25 }, "risk_score": 23, "tag_count": 5, "anomaly_count": 0, "campaign_key": "57086b5d0a735c2e7864486e1e9da2ae0e4e373e", "event_fingerprint": "0515a90696fafcab67973d1c4c56caf19b56703e", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "520e035c31f710620b3c562fe901f576", "path_pattern_hash": "4ab235198c4b31da3311b42124ef3494" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx" }, "payload_preview": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffdo\u0000\u0000\u0000\u0000\u0000\u0000\u0000x{\"version\":\"0.66.0\",\"hostname\":\"ubuntu\",\"os\":\"linux\",\"arch\":\"amd64\",\"user\":\"frpc\",\"timestamp\":1", "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffdo\u0000\u0000\u0000\u0000\u0000\u0000\u0000x{\"version\":\"0.66.0\",\"hostname\":\"ubuntu\",\"os\":\"linux\",\"arch\":\"amd64\",\"user\":\"frpc\",\"timestamp\":1780634267,\"pool_count\":1}", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffdo\u0000\u0000\u0000\u0000\u0000\u0000\u0000x{\"version\":\"0.66.0\",\"hostname\":\"ubuntu\",\"os\":\"linux\",\"arch\":\"amd64\",\"user\":\"frpc\",\"timestamp\":1", "evidence": { "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffdo\u0000\u0000\u0000\u0000\u0000\u0000\u0000x{\"version\":\"0.66.0\",\"hostname\":\"ubuntu\",\"os\":\"linux\",\"arch\":\"amd64\",\"user\":\"frpc\",\"timestamp\":1780634267,\"pool_count\":1}", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\\\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\ufffdo\u0000\u0000\u0000\u0000\u0000\u0000\u0000x{\"version\":\"0.66.0\",\"hostname\":\"ubuntu\",\"os\":\"linux\",\"arch\":\"amd64\",\"user\":\"frpc\",\"timestamp\":1", "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab cassandra_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85b9f7800fc0a197be42d907bd05773fbf9bf40f", "ban_policy": "advisory_monitor", "tags_list": [ "cassandra_emulated", "mongodb_user_exposed", "mongodb_version", "mongodb_version_0.66.0", "net_cassandra_probe" ] }
04/06/2026 23:34:29 UTC	TCP	25109	http	Traversal LFI	Élevée	Moyen · 59
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 25109 Chemin / cible / Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) LFI Double-dot bypass Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF lfi-14 rce-0 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Requête brute (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 25109, "risk_waf": 100, "risk_classification": 78, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.5, "risk_breakdown": { "waf": 100, "classification": 78, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "44af26ec4b475c40733df07829d5bcd7cce20173", "event_fingerprint": "c96590bcf1dd2fe5d3b5ff5ab007672a34075231", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "CRS-930100-sub" ], "kb_rule_ids": [ "CRS-930100-sub" ], "matched_patterns": [ "pat-0103" ], "matched_pattern_names": [ "LFI Double-dot bypass" ], "pattern_ids": [ "pat-0103" ], "classification_parent": "path_traversal", "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 25109, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "path_traversal" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7f95126c8bc6a021f18f4d902f271799c0c37171", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
04/06/2026 20:37:45 UTC	TCP	5001	—	Sonde port	Faible	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 5001 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) W�� Meta JSON brut { "bytes_in": 41, "payload_entropy": 2.574442355593193, "port_category": "registered", "org": "Hydra Communications Ltd", "service": null, "app_proto": null, "asn": 25369, "country": "GB", "dst_port": 5001, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 16, "tag_count": 0, "anomaly_count": 0, "campaign_key": "f9c859a5c24cc3fb2774e430a4209523c0ad4934", "event_fingerprint": "6e858df0d600587236fbd58ac21b3d1076ba68e9", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "882c7c9af4145229a7f24b1be68b2889", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 5001 }, "payload_preview": "W\u0000\u0000\u0000\u0000\u0011\u0011\u0007\u0000\u0000\ufffd\ufffd\u0003\u0000\u0000\ufffd\u0003\u0000\u0000\u0014\u0000\u001c\b\n\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001", "request_sample": "W\u0000\u0000\u0000\u0000\u0011\u0011\u0007\u0000\u0000\ufffd\ufffd\u0003\u0000\u0000\ufffd\u0003\u0000\u0000\u0014\u0000\u001c\b\n\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001", "payload_snippet": "W\u0000\u0000\u0000\u0000\u0011\u0011\u0007\u0000\u0000\ufffd\ufffd\u0003\u0000\u0000\ufffd\u0003\u0000\u0000\u0014\u0000\u001c\b\n\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "W\u0000\u0000\u0000\u0000\u0011\u0011\u0007\u0000\u0000\ufffd\ufffd\u0003\u0000\u0000\ufffd\u0003\u0000\u0000\u0014\u0000\u001c\b\n\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001", "payload_snippet": "W\u0000\u0000\u0000\u0000\u0011\u0011\u0007\u0000\u0000\ufffd\ufffd\u0003\u0000\u0000\ufffd\u0003\u0000\u0000\u0014\u0000\u001c\b\n\b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0004\u0001\u0001\u0001\u0000\u0000\u0000\u0000\u0001", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9ab398a99be44c42bead5257095af7a67b9d1279", "ban_policy": "advisory_monitor" }
04/06/2026 13:23:15 UTC	TCP	22436	http	web attack	Élevée	Moyen · 63
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 22436 Chemin / cible / Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Conne Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 22436, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 63, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a93b684d83af3e3f0d5b352ed04093e5e4e3d037", "event_fingerprint": "cb6e8d95eaa26c8c384b46d15c44902654ef09a7", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "973598b044a4648e3c3fc5667c0c8ce9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 22436, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r\nConne", "event_signature": "3a4cb97730834e0cd7060ad94537b4c0bb853207", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
03/06/2026 21:37:11 UTC	TCP	2049	http	web attack	Élevée	Moyen · 60
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 30 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2049 Chemin / cible / Confiance classification 95% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2049 User-Agent: Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Accept: / Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b39a8eb400b4b390b14491fac490091433fc3d34", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.206419253236291, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "dst_port": 2049, "risk_waf": 100, "risk_classification": 100, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 100, "classification": 100, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6e5d689241cde014d153fd4bd027d29ea0317de1", "event_fingerprint": "61c2f1b4a231855627240ceb303c49deb2aad68e", "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "GB", "asn": 25369, "org": "Hydra Communications Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d74db3be8cf3d2c61a6ebef42022c154", "payload_hash": "cc0dcf201a97dc27213539c55f32741f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2049, "service": "http" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "confidence": 0.95, "classification_confidence": 0.95, "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2049\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: \/\r", "event_signature": "a0373fcef521caf2c7e7dd164698e6978e3161cb", "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
03/06/2026 01:38:50 UTC	TCP	427	—	Sonde port	Faible	Faible · 8
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 09:33:54 UTC	TCP	5269	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 06:43:22 UTC	TCP	6653	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6653 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "0c56c22aa3fad86eb65f6449d2e5a777877c8322", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.174570842806656, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "a04a43e1b5e6a8c3f549a161f3a73b6ecde2c19c", "event_fingerprint": "96738f9caa86f2678524c8f74a8ceed3af46d3b7", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 05:49:09 UTC	TCP	27017	tls	Sonde TLS	Élevée	Élevé · 81
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 05:08:41 UTC	TCP	1194	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1194 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "fa855ac882054142ac60dee34b651341c2872769", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 173, "payload_entropy": 5.197114973037234, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "02a8abce6b2e49be0d5ab0a7172d3f4f40aacf36", "event_fingerprint": "2e312bb8de423d6498986cd0bed80105df4f7a24", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 04:23:49 UTC	TCP	7	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "b0d51509688aaf6cb87be6e2568f8009d54af8b8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 170, "payload_entropy": 5.172714229823353, "port_category": "well_known", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "730765a46c8be69b48772e62b157418cb21f1a02", "event_fingerprint": "e8b2f2fdf7779689dfd4c09b4201b31d48f8a47a", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
01/06/2026 00:00:25 UTC	TCP	1080	socks	socks	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 21:32:05 UTC	TCP	6046	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 11:53:44 UTC	TCP	26877	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26877 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "e7ac7ecd794e71914a63e2cbdca798fceb5afd12", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 144, "payload_entropy": 5.097605644356062, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "518a89bd12f4438180727fb0a5056537d9437003", "event_fingerprint": "32b65485b9e4e7a3adf5ea9b38e89ce0ed50fae4", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
31/05/2026 06:42:05 UTC	TCP	8010	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
31/05/2026 03:42:42 UTC	TCP	1962	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 23:55:03 UTC	TCP	6034	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 23:55:03 UTC	TCP	6034	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 20:25:11 UTC	TCP	139	netbios-ssn	netbios-ssn	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 06:19:26 UTC	TCP	6009	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 04:24:49 UTC	TCP	27015	http	web attack	Élevée	Critique · 100
Étape — WAF 30 Recommandation — Tags 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 27015 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Infrawatch/1.0; +https://infrawat.ch/) Règles WAF 950318:lfi-14 950326:rce-0 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d21c1bafc58d16443d9ec66887a72f8ca1f87ea1", "http_host_hash": "a964df508194aaae8d80af2df62724ca6e62d688", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 174, "payload_entropy": 5.193057561531052, "port_category": "registered", "org": "Hydra Communications Ltd", "service": "http", "app_proto": "http", "asn": 25369, "country": "GB", "tag_count": 5, "anomaly_count": 0, "risk_score": 100, "campaign_key": "c3ea8ef1b286496bb478b5b94504659d83fa5d82", "event_fingerprint": "9ac3b1712cf3aa6c5f89f8a330d3ab49ee754405", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
30/05/2026 00:42:09 UTC	TCP	993	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 22:13:30 UTC	TCP	1883	mqtt	mqtt probe	Élevée	Moyen · 50
Étape — WAF — Recommandation — Tags mqtt_connect Cible HTTP — TLS SNI — Capteur paris-1

193.176.29.27

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence