{"ip":"198.199.89.181","exported_at":"2026-06-19T08:53:20+00:00","period_days":1,"metrics":{"events7d":70,"distinct_ports":22,"distinct_classifications":19,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":22,"max_risk_score":65,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["scanner"],"recommended_action":"monitor","confidence":0.57,"risk_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":43,"novelty":15},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":36,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 35\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":32,"behavior":0,"geo":40,"protocol":43,"novelty":15,"risk_score":35,"correlation_boost":8},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["multi_protocol_correlation"],"correlation_flags_labels_fr":["Multi-protocole corr\u00e9l\u00e9 (5 min)"],"confidence_pct":57,"confidence_hint_fr":"Corr\u00e9lation +8","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0369"],"tags_summary":["pat-0369"],"attack_vector":"postgres probe \u00b7 via TLS:1434 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ff\u001blB\ufffd\ufffd\ufffd1\t\ufffd\ufffd\u0018\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\u0013})\ufffd\ufffd\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000","tls_ja3":"d6828e30ab66774a91a96ae93be4ae4c","tls_ja4":"e4d60caa902b8b84112358f96af813c3","port":1434,"service":"tls","service_label_fr":"TLS"},"protocol_summary_fr":"JA3 d6828e30ab66774a \u00b7 Payload \u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ff\u001blB\ufffd\ufffd\ufffd1\t\ufffd\ufffd\u0018\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\u2026 \u00b7 TLS:1434","evidence_snippet":"\ufffd\ufffdflB\ufffd\ufffd\ufffd1\t\ufffd\ufffd\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd})\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{","target_port_label":"1434 \u00b7 TLS","emulator_service":"tls","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8","payload_preview":"\ufffd\ufffdflB\ufffd\ufffd\ufffd1\t\ufffd\ufffd\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd})\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{"},"events":[{"id":9627030,"ip":"198.199.89.181","ts":"2026-06-19 02:31:53.000000","proto":"tcp","src_port":60236,"dst_port":1434,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.869978251309865, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1434, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222cf103f954c60e81dc10c69c201fcdda5cfa54dc\u0022, \u0022event_fingerprint\u0022: \u002249296f9ac59bf54b662c3e70f4330ed9641e6005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022payload_hash\u0022: \u0022fa81b91d04a7d08fcaf513f48ca16a44\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001ff\\u001blB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\\u0018\\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\\u0013})\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001ff\\u001blB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\\u0018\\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\\u0013})\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u07cc\/\\u0002\u7f40?\ufffd\\u0003`\\u000b\ufffd\\u0017\ufffd:\ufffd\ufffdZ[$\ufffdzj_j\ufffdCdj4\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001ff\\u001blB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\\u0018\\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\\u0013})\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022817e0f6f064f3dc9104c5b4706f83fb96c1ddb45\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001ff\\u001blB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\\u0018\\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\\u0013})\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdflB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd})\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1434 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 1434, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001ff\\u001blB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\\u0018\\u000e\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd\\b \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\\u0016\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd\\u0013})\ufffd\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1434 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdflB\ufffd\ufffd\ufffd1\\t\ufffd\ufffd\u21ce\ufffd\ufffdi\ufffd(\u0219s\ufffd\ufffd\ufffd\ufffdg\ufffd \ufffd\u003E\ufffdP\ufffdyEA\ufffd3\ufffd\ufffd\u0561\ufffdV\ufffdY\ufffd\ufffdd\ufffd\ufffdT\ufffd\ufffd})\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221434\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"d6828e30ab66774a91a96ae93be4ae4c","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9627024,"ip":"198.199.89.181","ts":"2026-06-19 02:31:52.000000","proto":"tcp","src_port":60210,"dst_port":1434,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.855671560557835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1434, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222cf103f954c60e81dc10c69c201fcdda5cfa54dc\u0022, \u0022event_fingerprint\u0022: \u002249296f9ac59bf54b662c3e70f4330ed9641e6005\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022payload_hash\u0022: \u00226319d64dd39df76c2c93814adabde628\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffd\\u0001y\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\\u000f\ufffd\ufffd\ufffd#\ufffdpR\ufffd\\f\ufffdg\ufffd\\\\=\ufffdqW\\bJ\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffd\\u0001y\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\\u000f\ufffd\ufffd\ufffd#\ufffdpR\ufffd\\f\ufffdg\ufffd\\\\=\ufffdqW\\bJ\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 AA\ufffd\ufffd\ufffd)\ufffdYz\ufffd,`\ufffdt\ufffd5\\u001c\ufffdp\\nu\ufffd\ufffd\ufffd\\u0003H\\\u0022\\\\\ufffdA\ufffd6\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffd\\u0001y\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\\u000f\ufffd\ufffd\ufffd#\ufffdpR\ufffd\\f\ufffdg\ufffd\\\\=\ufffdqW\\bJ\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022735395d61b491bc9198f3b7f221638e8850a1dbf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffd\\u0001y\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\\u000f\ufffd\ufffd\ufffd#\ufffdpR\ufffd\\f\ufffdg\ufffd\\\\=\ufffdqW\\bJ\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffdy\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\ufffd\ufffd\ufffd#\ufffdpR\ufffd\ufffdg\ufffd\\\\=\ufffdqWJ\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1434 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 1434, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffd\\u0001y\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\\u000f\ufffd\ufffd\ufffd#\ufffdpR\ufffd\\f\ufffdg\ufffd\\\\=\ufffdqW\\bJ\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1434 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdTRt\ufffd\ufffd\\t\ufffdy\ufffdh\ufffdM\ufffd6Ua5c\ufffd7,\ufffd\ufffd4\ufffd\ufffd 8\ufffd=\ufffdv\ufffd\ufffd\ufffd_\ufffd$\ufffd\ufffd\ufffd\ufffd#\ufffdpR\ufffd\ufffdg\ufffd\\\\=\ufffdqWJ\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221434\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"d6828e30ab66774a91a96ae93be4ae4c","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9627025,"ip":"198.199.89.181","ts":"2026-06-19 02:31:52.000000","proto":"tcp","src_port":60226,"dst_port":1434,"service":"http","classification":"config_file_probe","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/authLogin.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u002220f633e7cff478c2585f58298d013520fa99a95f\u0022, \u0022http_target_hash\u0022: \u00228add963f0e61f10c41c8eee4caf504d0e863a0b6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 113, \u0022payload_entropy\u0022: 4.91752487593081, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1434, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d42d5f7a678cd770575e9d7d6d5efbd710d63d22\u0022, \u0022event_fingerprint\u0022: \u002207c5e4f5d149f34e23230554e8d139914d0d8e8a\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u0022686167e783cfa80aa9c6c25399cfa951\u0022, \u0022path_pattern_hash\u0022: \u002245fb04fbc0c9ee592196ecdb80f81814\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1434, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e66141593cb48be9f2517752a60d20eb2864b91b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:1434 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1434, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 1434, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:1434 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1434\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00221434 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221434\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1434","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":7,"bytes_in":113},{"id":9607597,"ip":"198.199.89.181","ts":"2026-06-18 20:54:09.000000","proto":"tcp","src_port":41218,"dst_port":9203,"service":"http","classification":"config_file_probe","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/solr\/admin\/info\/system","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u0022e92b718328952eaf8116e79ea0ca2c3046d5ed14\u0022, \u0022http_target_hash\u0022: \u0022fc0e9dcca87dcc3e0fb0c7105f0dc0965b093249\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.9474348362472735, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9203, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e9f4f3ee3798e87a467500363016595fb0b25070\u0022, \u0022event_fingerprint\u0022: \u0022bed1555fa25368fe7cc9f7063d5a21139709223f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0754\u0022], \u0022matched_pattern_names\u0022: [\u0022ET solr admin\u0022], \u0022pattern_ids\u0022: [\u0022pat-0754\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u0022ed23134a4b9ea8e81296c8cad5883146\u0022, \u0022path_pattern_hash\u0022: \u00222bb5950eb761b3b523d8b3a4a96c284e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022968c67a195b614c20400ff97f829ae24a1dc3520\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/info\/system\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9203, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/info\/system\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9203","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022]","anomalies":"[]","severity":7,"bytes_in":114},{"id":9607603,"ip":"198.199.89.181","ts":"2026-06-18 20:54:09.000000","proto":"tcp","src_port":41224,"dst_port":9203,"service":"http","classification":"config_file_probe","waf_score":13,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/solr\/admin\/cores?action=STATUS\u0026wt=json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u0022e92b718328952eaf8116e79ea0ca2c3046d5ed14\u0022, \u0022http_target_hash\u0022: \u00226b03df1c77d35ae8990130ccd8ec9b9323ec38c0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 130, \u0022payload_entropy\u0022: 5.075590729573204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9203, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225527ea3f72c3e43e2f2d621a237b8d229ced6492\u0022, \u0022event_fingerprint\u0022: \u002219ce2b145d0a9db17fdddb0764da76c442152d1e\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0754\u0022], \u0022matched_pattern_names\u0022: [\u0022ET solr admin\u0022], \u0022pattern_ids\u0022: [\u0022pat-0754\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u0022a62e190f16ff12dbe9a66535aca7d9eb\u0022, \u0022path_pattern_hash\u0022: \u00220897b296d8a40895c8b3be949b5c73f5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022query_string\u0022: \u0022action=STATUS\u0026wt=json\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022query_string\u0022: \u0022action=STATUS\u0026wt=json\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f9a5f065f78c6479f595522498cb7716da4bb43\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/cores\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9203, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/cores\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9203","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022]","anomalies":"[]","severity":7,"bytes_in":130},{"id":9603310,"ip":"198.199.89.181","ts":"2026-06-18 19:42:59.000000","proto":"tcp","src_port":45978,"dst_port":29092,"service":"http","classification":"config_file_probe","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/authLogin.cgi","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u00228ab58e916690f18287f0bf2fe745b0cb6e241d5b\u0022, \u0022http_target_hash\u0022: \u00228add963f0e61f10c41c8eee4caf504d0e863a0b6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.9478018887031165, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 29092, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022953f97c9e41029a0c23d7dee33fea342cf96d44c\u0022, \u0022event_fingerprint\u0022: \u0022df4da64670b7d0f8a7171d88fe401b5e6c3c2411\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u00221215b68c4194610f916f0d330171b817\u0022, \u0022path_pattern_hash\u0022: \u002245fb04fbc0c9ee592196ecdb80f81814\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 29092, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c315f7a2bb1cbca68227e8f6c58f956b07b91bde\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:29092 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 29092, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:29092 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:29092\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002229092\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:29092","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022]","anomalies":"[]","severity":7,"bytes_in":114},{"id":9603312,"ip":"198.199.89.181","ts":"2026-06-18 19:42:59.000000","proto":"tcp","src_port":45980,"dst_port":29092,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.790958750094249, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 29092, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022404da510ecdfb3b2dcb22d45da6ff050ebcceb27\u0022, \u0022event_fingerprint\u0022: \u0022b013a6ac8e43cf8cc9616a9a24357bb16f8ceb69\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022payload_hash\u0022: \u0022d10874e1e0f61877f44e2d5c5528d241\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0006\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\\u001e\ufffd\ufffd\\u000bwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\\u001b\\f\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\\b\ufffd\ufffd\ufffdk,{\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0006\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\\u001e\ufffd\ufffd\\u000bwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\\u001b\\f\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\\b\ufffd\ufffd\ufffdk,{\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 F\ufffd!\\u0015\ufffd\ufffdE\u0026J\u0026\ufffdwM\\u0007 \ufffdk\ufffd\\u0005\ufffd\ufffd\ufffd)(3\ufffd\ufffd\ufffd\ufffd-\ufffdE\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0006\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\\u001e\ufffd\ufffd\\u000bwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\\u001b\\f\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\\b\ufffd\ufffd\ufffdk,{\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227c6f21ee44c0554ec3cea96586dba3286978ea90\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0006\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\\u001e\ufffd\ufffd\\u000bwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\\u001b\\f\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\\b\ufffd\ufffd\ufffdk,{\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\ufffd\ufffdwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\ufffd\ufffd\ufffdk,{\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:29092 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 29092, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u0006\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\\u001e\ufffd\ufffd\\u000bwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\\u001b\\f\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\\b\ufffd\ufffd\ufffdk,{\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:29092 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\u07bc\ufffdnB\ufffd\ufffd\ufffd\ufffd\ufffdwh\ufffdF\u032f6\ufffd\ufffd\ufffd9\ufffd\ufffdg5\ufffdF\ufffd \ufffdQ\ufffd\ufffd\u0443\ufffdq\ufffd\\t\ufffd\u05e03$ \ufffdY\ufffdix\ufffd\ufffd\ufffdk,{\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002229092\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"d6828e30ab66774a91a96ae93be4ae4c","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9603305,"ip":"198.199.89.181","ts":"2026-06-18 19:42:58.000000","proto":"tcp","src_port":45968,"dst_port":29092,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.8432554536576875, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 29092, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022404da510ecdfb3b2dcb22d45da6ff050ebcceb27\u0022, \u0022event_fingerprint\u0022: \u0022b013a6ac8e43cf8cc9616a9a24357bb16f8ceb69\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022payload_hash\u0022: \u0022c904f85ff1f7dd3b52b800bee2db25bf\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd\\u0016!\ufffd#\\u0019?\ufffd\ufffd0q\\u0018\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd\\b|\ufffd\\u00116\ufffd\\u0012\ufffd\ufffd\ufffdH3\\u0010\\u0000\\u001f\u003Cb\ufffd}~\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd\\u0016!\ufffd#\\u0019?\ufffd\ufffd0q\\u0018\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd\\b|\ufffd\\u00116\ufffd\\u0012\ufffd\ufffd\ufffdH3\\u0010\\u0000\\u001f\u003Cb\ufffd}~\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\\u0001m\ufffd\\tcU\ufffdq\ufffdFu\ufffd\ufffd1\\\u0022\u054fPq\\u001d\ufffd\ufffdK\ufffd\\u0001\ufffd\ufffdI\ufffd7\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd\\u0016!\ufffd#\\u0019?\ufffd\ufffd0q\\u0018\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd\\b|\ufffd\\u00116\ufffd\\u0012\ufffd\ufffd\ufffdH3\\u0010\\u0000\\u001f\u003Cb\ufffd}~\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f006e58695661a4bbfcdcbd327693ec59873be35\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd\\u0016!\ufffd#\\u0019?\ufffd\ufffd0q\\u0018\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd\\b|\ufffd\\u00116\ufffd\\u0012\ufffd\ufffd\ufffdH3\\u0010\\u0000\\u001f\u003Cb\ufffd}~\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd!\ufffd#?\ufffd\ufffd0q\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd|\ufffd6\ufffd\ufffd\ufffd\ufffdH3\u003Cb\ufffd}~\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:29092 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 29092, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd\\u0016!\ufffd#\\u0019?\ufffd\ufffd0q\\u0018\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd\\b|\ufffd\\u00116\ufffd\\u0012\ufffd\ufffd\ufffdH3\\u0010\\u0000\\u001f\u003Cb\ufffd}~\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 29092, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:29092 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdM\ufffd\u05e3\ufffd\ufffd]\ufffdgE\u01d0-\ufffd\ufffd\ufffd!\ufffd#?\ufffd\ufffd0q\ufffd\ufffd\ufffd\ufffd \ufffdJc9=\ufffd\ufffd\ufffd\ufffd~\ufffd|\ufffd6\ufffd\ufffd\ufffd\ufffdH3\u003Cb\ufffd}~\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002229092 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002229092\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"d6828e30ab66774a91a96ae93be4ae4c","tls_ja3":"771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9597284,"ip":"198.199.89.181","ts":"2026-06-18 17:58:49.000000","proto":"tcp","src_port":12130,"dst_port":3306,"service":"mysql","classification":"mysql_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400\u0022, \u0022emulator_response_len\u0022: 60, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022mysql\u0022, \u0022app_proto\u0022: \u0022mysql\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 3306, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022bef1cad8d681313ebc2fad5890e78941ae733f15\u0022, \u0022event_fingerprint\u0022: \u00227e64d2ea7efbfd080eb620b69c685e7503a67a61\u0022, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 87, \u0022precision_signals\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022f92b97805e8111d6d69ad0f096b65c87\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251c4f619223cf8f2e8fe95a8f161b5010a39cc38\u0022, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Poign\u00e9e de main MySQL \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022, \u0022dst_port\u0022: 3306, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-DB-mysql-auth\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Db Mysql Auth\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mysql_auth_fr\u0022: \u0022Handshake MySQL (auth)\u0022, \u0022port\u0022: 3306, \u0022service\u0022: \u0022mysql\u0022, \u0022service_label_fr\u0022: \u0022MYSQL\u0022}, \u0022attack_vector\u0022: \u0022mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00223306 \u00b7 MYSQL\u0022, \u0022emulator_service\u0022: \u0022mysql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mysql\u0022, \u0022service_banner\u0022: \u00228.0.32-MySQL\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223306\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mysql_emulated\u0022, \u0022mysql_handshake\u0022, \u0022net_mysql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":0},{"id":9595548,"ip":"198.199.89.181","ts":"2026-06-18 17:29:10.000000","proto":"tcp","src_port":41146,"dst_port":8983,"service":"http","classification":"config_file_probe","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/solr\/admin\/info\/system","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u0022f6c3bc255d867495897cae2961e69a919c989cc2\u0022, \u0022http_target_hash\u0022: \u0022fc0e9dcca87dcc3e0fb0c7105f0dc0965b093249\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.964978695896397, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8983, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022beae9a5e0e137473af234703788e2b1105fcdffc\u0022, \u0022event_fingerprint\u0022: \u0022edc246dd7ab371bf90a35f144f669ca16a92469f\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 0.97, \u0022classification_confidence\u0022: 0.97, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0754\u0022], \u0022matched_pattern_names\u0022: [\u0022ET solr admin\u0022], \u0022pattern_ids\u0022: [\u0022pat-0754\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u002295f160575cfefe83631cbdbe8dbdcb72\u0022, \u0022path_pattern_hash\u0022: \u00222bb5950eb761b3b523d8b3a4a96c284e\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022cdc202732634a3878bedc46b9ba1d53271f9eb06\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8983 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/info\/system\u0022, \u0022target_port_label\u0022: \u00228983 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 97, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8983, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/info\/system\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8983 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/info\/system\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228983 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 97 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228983\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8983","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022]","anomalies":"[]","severity":7,"bytes_in":114},{"id":9595553,"ip":"198.199.89.181","ts":"2026-06-18 17:29:10.000000","proto":"tcp","src_port":41152,"dst_port":8983,"service":"http","classification":"config_file_probe","waf_score":13,"waf_tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/solr\/admin\/cores?action=STATUS\u0026wt=json","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 2, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u0022f6c3bc255d867495897cae2961e69a919c989cc2\u0022, \u0022http_target_hash\u0022: \u00226b03df1c77d35ae8990130ccd8ec9b9323ec38c0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 130, \u0022payload_entropy\u0022: 5.090975344957819, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 8983, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022991cc2da4d3e55cdab1a4954d8ba78801fd84849\u0022, \u0022event_fingerprint\u0022: \u0022c24197e48da4de9c34f25646e3751f151de32953\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 127, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0754\u0022], \u0022matched_pattern_names\u0022: [\u0022ET solr admin\u0022], \u0022pattern_ids\u0022: [\u0022pat-0754\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u0022a2ae0a0b6af09542e1e326b861f60bc2\u0022, \u0022path_pattern_hash\u0022: \u00220897b296d8a40895c8b3be949b5c73f5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022query_string\u0022: \u0022action=STATUS\u0026wt=json\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022query_string\u0022: \u0022action=STATUS\u0026wt=json\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022436518febaa20f73341ad8c57a04127001e052d6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8983 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/cores\u0022, \u0022target_port_label\u0022: \u00228983 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab rce-0 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8983, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/solr\/admin\/cores\u0022, \u0022request_line\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 8983, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:8983 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/solr\/admin\/cores\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:8983\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00228983 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 60 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228983\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8983","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950325:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_solr\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022]","anomalies":"[]","severity":7,"bytes_in":130},{"id":9585801,"ip":"198.199.89.181","ts":"2026-06-18 14:50:59.000000","proto":"tcp","src_port":28958,"dst_port":9093,"service":"kafka-controller","classification":"solr_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206b61666b615f636f6e74726f6c6c657220726561647920706f72743d393039330d0a\u0022, \u0022emulator_response_len\u0022: 47, \u0022bytes_in\u0022: 130, \u0022payload_entropy\u0022: 5.075590729573204, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022app_proto\u0022: \u0022kafka-controller\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9093, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ae81f554e5170edb685f12a3c79583bc80b2ce16\u0022, \u0022event_fingerprint\u0022: \u00225e86e7ef7317f197e3a55fdab091d110850a32e6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 93, \u0022precision_signals\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002256660ed6a3014c2aa11f506df39f679f\u0022, \u0022path_pattern_hash\u0022: \u00221532cf2abc57fe877a1cb39330f129c4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022monitoring_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7d3b68faa05f2d315c6ad543c8ec7ede22e276d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022solr probe \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022, \u0022dst_port\u0022: 9093, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Console admin Apache Solr\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022attack_vector\u0022: \u0022solr probe \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/cores?action=STATUS\u0026wt=json HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kafka_controller\u0022, \u0022service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229093\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022solr_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022solr_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":130},{"id":9585794,"ip":"198.199.89.181","ts":"2026-06-18 14:50:58.000000","proto":"tcp","src_port":28920,"dst_port":9093,"service":"kafka-controller","classification":"solr_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206b61666b615f636f6e74726f6c6c657220726561647920706f72743d393039330d0a\u0022, \u0022emulator_response_len\u0022: 47, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.9474348362472735, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022app_proto\u0022: \u0022kafka-controller\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9093, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ae81f554e5170edb685f12a3c79583bc80b2ce16\u0022, \u0022event_fingerprint\u0022: \u00225e86e7ef7317f197e3a55fdab091d110850a32e6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 93, \u0022precision_signals\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f8688fb4b3fa680ba144f0747ec953c7\u0022, \u0022path_pattern_hash\u0022: \u00221532cf2abc57fe877a1cb39330f129c4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022monitoring_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225bfe54de55a59b2c465e36d5151fa06752e571db\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022solr probe \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab solr_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022, \u0022dst_port\u0022: 9093, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-SEC-solr-admin\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Console admin Apache Solr\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9093, \u0022service\u0022: \u0022kafka-controller\u0022, \u0022service_label_fr\u0022: \u0022KAFKA CONTROLLER\u0022}, \u0022attack_vector\u0022: \u0022solr probe \u00b7 via KAFKA CONTROLLER:9093 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/solr\/admin\/info\/system HTTP\/1.1\\r\\nHost: 62.3.50.33:9093\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229093 \u00b7 KAFKA CONTROLLER\u0022, \u0022emulator_service\u0022: \u0022kafka-controller\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022kafka_controller\u0022, \u0022service_banner\u0022: \u0022honeypot-kafka-controller\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229093\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022solr_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022solr_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":114},{"id":9583721,"ip":"198.199.89.181","ts":"2026-06-18 14:19:44.000000","proto":"tcp","src_port":30612,"dst_port":15672,"service":"rabbitmq-mgmt","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.898865288382514, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022app_proto\u0022: \u0022rabbitmq-mgmt\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 15672, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d348180fd241191bd72599b1c83a0d269ab7aef\u0022, \u0022event_fingerprint\u0022: \u0022d870641320d56850618fc809da4bfa15404d9395\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002220448cfb072785ca15e29be286a070f4\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\\u0014\ufffd\\u000e\ufffde\\u0002\\n\ufffdO\ufffdo\/\\u000f \ufffdC\\u001f\u04d4\ufffd\ufffdw\\\u0022\ufffd\\u0004n\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\\u0010\ufffd@c\\u0003\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\\u0014\ufffd\\u000e\ufffde\\u0002\\n\ufffdO\ufffdo\/\\u000f \ufffdC\\u001f\u04d4\ufffd\ufffdw\\\u0022\ufffd\\u0004n\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\\u0010\ufffd@c\\u0003\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffdW\ufffdQ\ufffd.\ufffd\ufffd\\u0015\ufffd\\u0005\ufffd\ufffd\\u0005\ufffd\ufffd|\ufffd\u0728\u0553\ufffd\u019f\u003C\u003C\ufffd\ufffd`\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\\u0014\ufffd\\u000e\ufffde\\u0002\\n\ufffdO\ufffdo\/\\u000f \ufffdC\\u001f\u04d4\ufffd\ufffdw\\\u0022\ufffd\\u0004n\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\\u0010\ufffd@c\\u0003\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ac324102572229cd6be8c5d9a7a3a9267e3dd0e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\\u0014\ufffd\\u000e\ufffde\\u0002\\n\ufffdO\ufffdo\/\\u000f \ufffdC\\u001f\u04d4\ufffd\ufffdw\\\u0022\ufffd\\u0004n\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\\u0010\ufffd@c\\u0003\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\ufffd\ufffde\\n\ufffdO\ufffdo\/ \ufffdC\u04d4\ufffd\ufffdw\\\u0022\ufffdn\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\ufffd@c\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RabbitMQ Management:15672 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 RabbitMQ Management\u0022, \u0022emulator_service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022, \u0022dst_port\u0022: 15672, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rabbitmq-mgmt\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\\u0014\ufffd\\u000e\ufffde\\u0002\\n\ufffdO\ufffdo\/\\u000f \ufffdC\\u001f\u04d4\ufffd\ufffdw\\\u0022\ufffd\\u0004n\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\\u0010\ufffd@c\\u0003\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RabbitMQ Management:15672 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdh\ufffd)+\ufffd2\ufffd\ufffd\ufffdi+\ufffdA\ufffd\ufffd-\ufffd\ufffde\\n\ufffdO\ufffdo\/ \ufffdC\u04d4\ufffd\ufffdw\\\u0022\ufffdn\ufffd*o\ufffdZ\ufffdl\ufffd\ufffdmH\ufffd]\ufffd\ufffd@c\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 RabbitMQ Management\u0022, \u0022emulator_service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rabbitmq_mgmt\u0022, \u0022service_banner\u0022: \u0022honeypot-rabbitmq-mgmt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215672\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rabbitmq_mgmt_probe\u0022, \u0022rabbitmq_mgmt_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rabbitmq_mgmt_probe\u0022, \u0022rabbitmq_mgmt_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":243},{"id":9583722,"ip":"198.199.89.181","ts":"2026-06-18 14:19:44.000000","proto":"tcp","src_port":30610,"dst_port":15672,"service":"http","classification":"config_file_probe","waf_score":6,"waf_tags":"[\u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/cgi-bin\/authLogin.cgi","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022cgi\u0022, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u0022e20166832ab649ed459a27600c089133ceb1b121\u0022, \u0022http_target_hash\u0022: \u00228add963f0e61f10c41c8eee4caf504d0e863a0b6\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.940304055613, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 15672, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 74.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022adfa618290ad8ac985eaeba73e14d938d00c779c\u0022, \u0022event_fingerprint\u0022: \u0022ce53218311a4c0ff3b2846994dfa517b353824b6\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 97, \u0022precision_signals\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022backup_file_scan\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 97.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u0022e6cb8fc2e733bcf6287a5108bb3c6c1e\u0022, \u0022path_pattern_hash\u0022: \u002245fb04fbc0c9ee592196ecdb80f81814\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre_techniques\u0022: [\u0022T1083\u0022], \u0022mitre\u0022: \u0022T1083\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022config_leak_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d77b30b85e9e8903f376953ec7df9fb0c18710b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:15672 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 74.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 15672, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-http_sensitive\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Http Sensitive\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1083\u0022, \u0022mitre_technique\u0022: \u0022T1083\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/cgi-bin\/authLogin.cgi\u0022, \u0022request_line\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022config file probe \u00b7 via HTTP:15672 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:15672\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 97 % \u2014 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215672\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022rabbitmq-mgmt\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:15672","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022http_probe_cgi_bin\u0022, \u0022http_sensitive_path\u0022, \u0022http_ua_suspicious\u0022, \u0022iot_http_endpoint\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":114},{"id":9583725,"ip":"198.199.89.181","ts":"2026-06-18 14:19:44.000000","proto":"tcp","src_port":30626,"dst_port":15672,"service":"rabbitmq-mgmt","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.795868807571666, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022app_proto\u0022: \u0022rabbitmq-mgmt\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 15672, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d348180fd241191bd72599b1c83a0d269ab7aef\u0022, \u0022event_fingerprint\u0022: \u0022d870641320d56850618fc809da4bfa15404d9395\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ed30240ba3e2484aa6f0c319a357ef0\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\b\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZw\\u001bB\\u000f\ufffdl\ufffdB\ufffd\\u0019\\u0007\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0019\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\b\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZw\\u001bB\\u000f\ufffdl\ufffdB\ufffd\\u0019\\u0007\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0019\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd[\ufffdR\ufffd\\u0005\ufffd\ufffd\ufffdS?\ue903\ufffd\\u000e\ufffd\ufffdMSs\ufffd\ufffd\\u000f\\u0001\ufffd\u00cc\ufffd\ufffd\\u0003\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\b\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZw\\u001bB\\u000f\ufffdl\ufffdB\ufffd\\u0019\\u0007\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0019\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b2f45d152625f557a1703bd73daa3eb67d6b2f87\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\b\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZw\\u001bB\\u000f\ufffdl\ufffdB\ufffd\\u0019\\u0007\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0019\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZwB\ufffdl\ufffdB\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RabbitMQ Management:15672 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 RabbitMQ Management\u0022, \u0022emulator_service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022, \u0022dst_port\u0022: 15672, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-rabbitmq-mgmt\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\b\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZw\\u001bB\\u000f\ufffdl\ufffdB\ufffd\\u0019\\u0007\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\\u0019\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 15672, \u0022service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022service_label_fr\u0022: \u0022RabbitMQ Management\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via RabbitMQ Management:15672 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJR\ufffdy\\\\\\\\EN]\ufffdn\ufffde\ufffd#\ufffd6:GW\ufffdy\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdd!\ufffdNPZwB\ufffdl\ufffdB\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002215672 \u00b7 RabbitMQ Management\u0022, \u0022emulator_service\u0022: \u0022rabbitmq-mgmt\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022rabbitmq_mgmt\u0022, \u0022service_banner\u0022: \u0022honeypot-rabbitmq-mgmt\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215672\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022rabbitmq-mgmt\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_rabbitmq_mgmt_probe\u0022, \u0022rabbitmq_mgmt_emulated\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_rabbitmq_mgmt_probe\u0022, \u0022rabbitmq_mgmt_emulated\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":5,"bytes_in":243},{"id":9578415,"ip":"198.199.89.181","ts":"2026-06-18 12:33:24.000000","proto":"tcp","src_port":27846,"dst_port":11211,"service":"memcached","classification":"memcached_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022454e440d0a\u0022, \u0022emulator_response_len\u0022: 5, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 4.86670441065192, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022memcached\u0022, \u0022app_proto\u0022: \u0022memcached\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 11211, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224eab2df10981f90270adaeb39c806c5e04ff5af2\u0022, \u0022event_fingerprint\u0022: \u00222fcce8d4fd15e6ca50ec0235eeed2c6616def357\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022INT-INFRA-memcached-stats\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-INFRA-memcached-stats\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002269279a7b833934d23dd427f2086ce864\u0022, \u0022path_pattern_hash\u0022: \u0022549d36783f9e3c43618e715d78a40b3b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220b5ef223dfa001711fe712e81d261b62948d3dc8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022memcached probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 48\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022, \u0022dst_port\u0022: 11211, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-INFRA-memcached-stats\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Infra Memcached Stats\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022attack_vector\u0022: \u0022memcached probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:11211\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211211\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022imap_probe\u0022, \u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022imap_probe\u0022, \u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":114},{"id":9578416,"ip":"198.199.89.181","ts":"2026-06-18 12:33:24.000000","proto":"tcp","src_port":27850,"dst_port":11211,"service":"memcached","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.6860910691563715, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022memcached\u0022, \u0022app_proto\u0022: \u0022memcached\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 11211, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a0d4041815b62f68b74e4bea9cd476604f6dc8eb\u0022, \u0022event_fingerprint\u0022: \u00222fcce8d4fd15e6ca50ec0235eeed2c6616def357\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fb32694010cf67b3e1cdf3cc99d716e6\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffd\\u001b\\u0018f\ufffd\u4bf7\ufffd\\u0014\ufffd\ufffdm*\ufffdZG\\u0010\ufffd\ufffd6\ufffd\ufffd \\u0006q:\ufffd@\ufffd\\u0013]\\u0000\ufffd\\u0000\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd\\u0003[\ufffd\ufffdF\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffd\\u001b\\u0018f\ufffd\u4bf7\ufffd\\u0014\ufffd\ufffdm*\ufffdZG\\u0010\ufffd\ufffd6\ufffd\ufffd \\u0006q:\ufffd@\ufffd\\u0013]\\u0000\ufffd\\u0000\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd\\u0003[\ufffd\ufffdF\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 Qz\ufffdZ\ufffd2\ufffdQ\ufffd\ufffdk\\u000b8\\u0001\\n\ufffd\\u0005\ufffdy\\u0006\ufffdm\ufffd\\n\ufffd\\f\ufffd\ufffdS\\u0004\ufffdY\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffd\\u001b\\u0018f\ufffd\u4bf7\ufffd\\u0014\ufffd\ufffdm*\ufffdZG\\u0010\ufffd\ufffd6\ufffd\ufffd \\u0006q:\ufffd@\ufffd\\u0013]\\u0000\ufffd\\u0000\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd\\u0003[\ufffd\ufffdF\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022056ae779c7c10405cc342474a35201f98aaf0eb8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffd\\u001b\\u0018f\ufffd\u4bf7\ufffd\\u0014\ufffd\ufffdm*\ufffdZG\\u0010\ufffd\ufffd6\ufffd\ufffd \\u0006q:\ufffd@\ufffd\\u0013]\\u0000\ufffd\\u0000\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd\\u0003[\ufffd\ufffdF\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffdf\ufffd\u4bf7\ufffd\ufffd\ufffdm*\ufffdZG\ufffd\ufffd6\ufffd\ufffd q:\ufffd@\ufffd]\ufffd\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd[\ufffd\ufffdF\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022, \u0022dst_port\u0022: 11211, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffd\\u001b\\u0018f\ufffd\u4bf7\ufffd\\u0014\ufffd\ufffdm*\ufffdZG\\u0010\ufffd\ufffd6\ufffd\ufffd \\u0006q:\ufffd@\ufffd\\u0013]\\u0000\ufffd\\u0000\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd\\u0003[\ufffd\ufffdF\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\r\ud9f6\udd69k\u003E\ufffd\ufffdf\ufffd\u4bf7\ufffd\ufffd\ufffdm*\ufffdZG\ufffd\ufffd6\ufffd\ufffd q:\ufffd@\ufffd]\ufffd\ufffdy\ufffdvdJ\ufffd\ufffd8\ufffd\ufffdV\ufffd!3\ufffd[\ufffd\ufffdF\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211211\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":243},{"id":9578421,"ip":"198.199.89.181","ts":"2026-06-18 12:33:24.000000","proto":"tcp","src_port":27868,"dst_port":11211,"service":"memcached","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002256455253494f4e20312e362e360d0a\u0022, \u0022emulator_response_len\u0022: 15, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.809525757746521, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022memcached\u0022, \u0022app_proto\u0022: \u0022memcached\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 11211, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a0d4041815b62f68b74e4bea9cd476604f6dc8eb\u0022, \u0022event_fingerprint\u0022: \u00222fcce8d4fd15e6ca50ec0235eeed2c6616def357\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226b80206fe4fe4b351bc06296edb7b2ae\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d\\f 7\ufffd+\ufffdR^KU\u0027K\\u0003\ufffd\ufffdhZ\ufffdS\ufffdA-\\u001b6\\u001cn\\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d\\f 7\ufffd+\ufffdR^KU\u0027K\\u0003\ufffd\ufffdhZ\ufffdS\ufffdA-\\u001b6\\u001cn\\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd~m\ufffd\ufffd\ufffd\u0159\\u001d\\u000f\\u0014\ufffd\ufffd\ufffd\\n\\r\u06412\u0027-?-p\ufffd\\t\ufffdc\\u0018\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d\\f 7\ufffd+\ufffdR^KU\u0027K\\u0003\ufffd\ufffdhZ\ufffdS\ufffdA-\\u001b6\\u001cn\\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002230b3c99b21fa6f7b15fa26810000e3f5156ad01b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d\\f 7\ufffd+\ufffdR^KU\u0027K\\u0003\ufffd\ufffdhZ\ufffdS\ufffdA-\\u001b6\\u001cn\\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d 7\ufffd+\ufffdR^KU\u0027K\ufffd\ufffdhZ\ufffdS\ufffdA-6n\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022, \u0022dst_port\u0022: 11211, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d\\f 7\ufffd+\ufffdR^KU\u0027K\\u0003\ufffd\ufffdhZ\ufffdS\ufffdA-\\u001b6\\u001cn\\u000b\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 11211, \u0022service\u0022: \u0022memcached\u0022, \u0022service_label_fr\u0022: \u0022MEMCACHED\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MEMCACHED:11211 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdf261\ufffd\/\ufffdyG\ufffd-\ufffd\ufffdg\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd9\ufffdYF\ufffdR\u042d 7\ufffd+\ufffdR^KU\u0027K\ufffd\ufffdhZ\ufffdS\ufffdA-6n\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002211211 \u00b7 MEMCACHED\u0022, \u0022emulator_service\u0022: \u0022memcached\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022memcached\u0022, \u0022service_banner\u0022: \u0022honeypot-memcached\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211211\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022memcached_emulated\u0022, \u0022memcached_payload\u0022, \u0022net_memcached_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":243},{"id":9577823,"ip":"198.199.89.181","ts":"2026-06-18 12:18:53.000000","proto":"tcp","src_port":59188,"dst_port":9301,"service":"sap-diag","classification":"sap_diag_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.24098749646502, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022sap-diag\u0022, \u0022app_proto\u0022: \u0022sap-diag\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9301, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 62.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 48.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 48.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225d95d29513c1247eaaf3077bc2effbd3434033f4\u0022, \u0022event_fingerprint\u0022: \u002226bbaf5859547d54eefc605071c8b53555becc9b\u0022, \u0022classification_reason\u0022: \u0022Connexion SAP Diag\/GUI \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 48.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-diag\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229d69e7d73319a0faea3e1ce9c62833b6\u0022, \u0022path_pattern_hash\u0022: \u0022b1c7373ffa4daadb6ab138f759082d87\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9301, \u0022service\u0022: \u0022sap-diag\u0022, \u0022service_name\u0022: \u0022sap-diag\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Connexion SAP Diag\/GUI \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022sap_probe\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226247d85836ebf9679b6306e3c2f468d69d00ac1c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022sap-diag\u0022, \u0022service_label_fr\u0022: \u0022SAP Diag\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022Sonde SAP Diag\/GUI \u00b7 via SAP Diag:9301 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 SAP Diag\u0022, \u0022emulator_service\u0022: \u0022sap-diag\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Connexion SAP Diag\/GUI \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Connexion SAP Diag\/GUI \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 62.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 48.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022sap-diag\u0022, \u0022service_label_fr\u0022: \u0022SAP Diag\u0022, \u0022dst_port\u0022: 9301, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-diag\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022sap-diag\u0022, \u0022service_label_fr\u0022: \u0022SAP Diag\u0022}, \u0022attack_vector\u0022: \u0022Sonde SAP Diag\/GUI \u00b7 via SAP Diag:9301 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 SAP Diag\u0022, \u0022emulator_service\u0022: \u0022sap-diag\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_diag\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-diag\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229301\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022net_sap_diag_probe\u0022, \u0022sap_diag_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022net_sap_diag_probe\u0022, \u0022sap_diag_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":116},{"id":9577827,"ip":"198.199.89.181","ts":"2026-06-18 12:18:53.000000","proto":"tcp","src_port":59182,"dst_port":9301,"service":"http","classification":"ssrf_attack","waf_score":22,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022033dedd926f028341b5d0b4ba132f8088c552b7c\u0022, \u0022http_host_hash\u0022: \u00224ec4f7742057a494be7151a79d7300b38592b458\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 148, \u0022payload_entropy\u0022: 5.114680582807895, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9301, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 84.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229e4c7480fbaf02cd51a4fd5234c3554efc6ace2a\u0022, \u0022event_fingerprint\u0022: \u00223d8e8c9824942458ffee07e70164580213acac88\u0022, \u0022classification_reason\u0022: \u0022R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.58, \u0022classification_confidence\u0022: 0.58, \u0022precision_score\u0022: 55, \u0022precision_signals\u0022: [\u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229f9c7ebc5d6f6c8d69ee2392fa6e3a4f\u0022, \u0022payload_hash\u0022: \u0022479a2e89439f0ca6e5f7c167478d3216\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccep\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccep\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccep\u0022, \u0022classification_reason\u0022: \u0022R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ssrf_probe\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239422ab785793602d03b30a5fadcbdea05488428\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccep\u0022, \u0022attack_vector\u0022: \u0022ssrf attack \u00b7 via HTTP:9301 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 84.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9301, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022ssrf attack \u00b7 via HTTP:9301 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\\r\\nAccept: *\/*\\r\\nAccep\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229301\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022sap-diag\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9301","http_user_agent":"Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":148},{"id":9577828,"ip":"198.199.89.181","ts":"2026-06-18 12:18:53.000000","proto":"tcp","src_port":59190,"dst_port":9301,"service":"http","classification":"lfi_path_traversal","waf_score":14,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022]","http_method":"GET","http_target":"\/v2\/_catalog","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 3, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022c3e68bb8f388240c7ecaebb8bcb80a85536526f2\u0022, \u0022http_host_hash\u0022: \u00224ec4f7742057a494be7151a79d7300b38592b458\u0022, \u0022http_target_hash\u0022: \u00220a123e4bf77be2af9aa43488b1d007835b4ab56c\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: true, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 103, \u0022payload_entropy\u0022: 4.924866616615826, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9301, \u0022risk_waf\u0022: 64.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b4e005c2a57ba0cb39b643fe03e2b0bb7eccb5b9\u0022, \u0022event_fingerprint\u0022: \u0022d19b724518954253beaa9f9a63420f83ace40222\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002212bd583dd25b868e6423d8f04cc19fd1\u0022, \u0022payload_hash\u0022: \u00227ae253c75995287ee057c05cde66b034\u0022, \u0022path_pattern_hash\u0022: \u0022e619279e9365734b3a57aa3a63edbea8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/_catalog\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/v2\/_catalog\u0022, \u0022user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c61dda9e2317ed1422db829891cdc0a1e7eddf46\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/_catalog\u0022, \u0022request_line\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9301 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/_catalog\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 64.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9301, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/v2\/_catalog\u0022, \u0022request_line\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Go-http-client\/1.1\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9301 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/v2\/_catalog\u0022, \u0022evidence_snippet\u0022: \u0022GET \/v2\/_catalog HTTP\/1.1\\r\\nHost: 62.3.50.33:9301\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229301\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022sap-diag\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022http_probe_registry\u0022, \u0022http_ua_suspicious\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9301","http_user_agent":"Go-http-client\/1.1","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950468:nosqli-3\u0022, \u0022http_probe_registry\u0022, \u0022http_ua_suspicious\u0022]","anomalies":"[]","severity":8,"bytes_in":103},{"id":9577833,"ip":"198.199.89.181","ts":"2026-06-18 12:18:53.000000","proto":"tcp","src_port":59212,"dst_port":9301,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u00221b9bb541fa237aff65acf838b154df7f\u0022, \u0022tls_sni\u0022: \u002262.3.50.33\u0022, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 19, \u0022bytes_in\u0022: 201, \u0022payload_entropy\u0022: 5.011647200775573, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9301, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221523f7d27a55e1ea080f06e42006fa02aefe33ae\u0022, \u0022event_fingerprint\u0022: \u0022d7ad2cee2fc18cd3c21afba0bf91d248ce02bc5b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u00221b9bb541fa237aff65acf838b154df7f\u0022, \u0022payload_hash\u0022: \u00226bd431847f622f2369f8e211837e6f13\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227d55a26b02c27f625ff34bc84f8ab649\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 40, \u0022tls_sni\u0022: \u002262.3.50.33\u0022, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49160-158-157-156-49192-49191-52393-52392-52394-107-103-57-51-22-61-60-4-20-159-21-49196-49200-8-6-3,0-5-10-11-13-65281,23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227d55a26b02c27f625ff34bc84f8ab649\u0022, \u0022tls_ja4\u0022: \u0022t13d0140_c79c1c2c7c3c_40d2e578a3e2\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 40, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0016C\ufffdww\ufffd\\u001eH\\\\G\u003C\\u0010\\u0000_\ufffdjn\ufffd\\u000e\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd\\u0000\\u0000P\ufffd\/\ufffd+\ufffd\\u0011\ufffd\\u0007\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\\u0005\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd$\ufffd#\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032a\\u0000k\\u0000g\\u00009\\u00003\\u0000\\u0016\\u0000=\\u0000\u003C\\u0000\\u0004\\u0000\\u0014\\u0000\ufffd\\u0000\\u0015\ufffd,\ufffd0\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0016C\ufffdww\ufffd\\u001eH\\\\G\u003C\\u0010\\u0000_\ufffdjn\ufffd\\u000e\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd\\u0000\\u0000P\ufffd\/\ufffd+\ufffd\\u0011\ufffd\\u0007\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\\u0005\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd$\ufffd#\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032a\\u0000k\\u0000g\\u00009\\u00003\\u0000\\u0016\\u0000=\\u0000\u003C\\u0000\\u0004\\u0000\\u0014\\u0000\ufffd\\u0000\\u0015\ufffd,\ufffd0\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\\u0000G\\u0000\\u0000\\u0000\\u000f\\u0000\\r\\u0000\\u0000\\n62.3.50.33\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\b\\u0000\\u0006\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u0010\\u0000\\u000e\\u0004\\u0001\\u0004\\u0003\\u0002\\u0001\\u0002\\u0003\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\ufffd\\u0001\\u0000\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0016C\ufffdww\ufffd\\u001eH\\\\G\u003C\\u0010\\u0000_\ufffdjn\ufffd\\u000e\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd\\u0000\\u0000P\ufffd\/\ufffd+\ufffd\\u0011\ufffd\\u0007\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\\u0005\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd$\ufffd#\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032a\\u0000k\\u0000g\\u00009\\u00003\\u0000\\u0016\\u0000=\\u0000\u003C\\u0000\\u0004\\u0000\\u0014\\u0000\ufffd\\u0000\\u0015\ufffd,\ufffd0\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002295a4a91aa85c5a1142ee47e84d11c081f651585f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0016C\ufffdww\ufffd\\u001eH\\\\G\u003C\\u0010\\u0000_\ufffdjn\ufffd\\u000e\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd\\u0000\\u0000P\ufffd\/\ufffd+\ufffd\\u0011\ufffd\\u0007\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\\u0005\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd$\ufffd#\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032a\\u0000k\\u0000g\\u00009\\u00003\\u0000\\u0016\\u0000=\\u0000\u003C\\u0000\\u0004\\u0000\\u0014\\u0000\ufffd\\u0000\\u0015\ufffd,\ufffd0\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u00221b9bb541fa237aff65acf838b154df7f\u0022, \u0022tls_ja4\u0022: \u00227d55a26b02c27f625ff34bc84f8ab649\u0022, \u0022tls_sni\u0022: \u002262.3.50.33\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdC\ufffdww\ufffdH\\\\G\u003C_\ufffdjn\ufffd\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\\t\ufffd\ufffd\\n\/5\ufffd\\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032akg93=\u003C\ufffd\ufffd,\ufffd0\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9301 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9301, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u0016C\ufffdww\ufffd\\u001eH\\\\G\u003C\\u0010\\u0000_\ufffdjn\ufffd\\u000e\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\\u0012\ufffd\ufffd\\u0000\\u0000P\ufffd\/\ufffd+\ufffd\\u0011\ufffd\\u0007\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\\u0005\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\ufffd$\ufffd#\ufffd\\b\\u0000\ufffd\\u0000\ufffd\\u0000\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032a\\u0000k\\u0000g\\u00009\\u00003\\u0000\\u0016\\u0000=\\u0000\u003C\\u0000\\u0004\\u0000\\u0014\\u0000\ufffd\\u0000\\u0015\ufffd,\ufffd0\\u0000\\b\\u0000\\u0006\\u0000\\u0003\\u0001\\u0000\u0022, \u0022tls_ja3\u0022: \u00221b9bb541fa237aff65acf838b154df7f\u0022, \u0022tls_ja4\u0022: \u00227d55a26b02c27f625ff34bc84f8ab649\u0022, \u0022tls_sni\u0022: \u002262.3.50.33\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:9301 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdC\ufffdww\ufffdH\\\\G\u003C_\ufffdjn\ufffd\\thS\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\\t\ufffd\ufffd\\n\/5\ufffd\\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\u0027\u0329\u0328\u032akg93=\u003C\ufffd\ufffd,\ufffd0\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229301\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022sap-diag\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_sni_ip\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":"62.3.50.33","tls_ja3_hash":"1b9bb541fa237aff65acf838b154df7f","tls_ja3":"771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49160-158-157-156-49192-49191-52393-52392-52394-107-103-57-51-22-61-60-4-20-159-21-49196-49200-8-6-3,0-5-10-11-13-65281,23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_sni_ip\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":201},{"id":9577834,"ip":"198.199.89.181","ts":"2026-06-18 12:18:53.000000","proto":"tcp","src_port":59236,"dst_port":9301,"service":"tls","classification":"tls_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u0022c216e752cae6f8755fd27f561d031636\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 8, \u0022bytes_in\u0022: 297, \u0022payload_entropy\u0022: 5.721080250414497, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9301, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 1.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222a30132fd40833ff6ea94fa5aad1ecef5c4d1cf4\u0022, \u0022event_fingerprint\u0022: \u002227685f573960c3bd20cde2b9f3e4621dc245c85d\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u0022c216e752cae6f8755fd27f561d031636\u0022, \u0022payload_hash\u0022: \u00228120d9f661113f75cf3522a48731dfdc\u0022, \u0022path_pattern_hash\u0022: \u00228792d2cfdc5028123bfb8f159de8656c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001$\\u0001\\u0000\\u0001 \\u0003\\u0003\ufffd\\u000fN\ufffd\ufffd\\u0004\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd \\u0016 \ufffd\\u001fA\u0027\ufffd\\u0004\\u0002\\f\\u0012\ufffdi\\f\ufffd\ufffd\\u0010\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0001$\\u0001\\u0000\\u0001 \\u0003\\u0003\ufffd\\u000fN\ufffd\ufffd\\u0004\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd \\u0016 \ufffd\\u001fA\u0027\ufffd\\u0004\\u0002\\f\\u0012\ufffdi\\f\ufffd\ufffd\\u0010\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\\u0000\ufffd\\u0000=\\u0000\u003C\\u00005\\u0000\/\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0000\\u000b\\u0000\\u0004\\u0003\\u0000\\u0001\\u0002\\u0000\\n\\u0000\\u0016\\u0000\\u0014\\u0000\\u001d\\u0000\\u0017\\u0000\\u001e\\u0000\\u0019\\u0000\\u0018\\u0001\\u0000\\u0001\\u0001\\u0001\\u0002\\u0001\\u0003\\u0001\\u0004\\u0000#\\u0000\\u0000\\u0000\\u0016\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\r\\u0000*\\u0000(\\u0004\\u0003\\u0005\\u0003\\u0006\\u0003\\b\\u0007\\b\\b\\b\\t\\b\\n\\b\\u000b\\b\\u0004\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0003\\u0003\\u0003\\u0001\\u0003\\u0002\\u0004\\u0002\\u0005\\u0002\\u0006\\u0002\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u0000-\\u0000\\u0002\\u0001\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0001$\\u0001\\u0000\\u0001 \\u0003\\u0003\ufffd\\u000fN\ufffd\ufffd\\u0004\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd \\u0016 \ufffd\\u001fA\u0027\ufffd\\u0004\\u0002\\f\\u0012\ufffdi\\f\ufffd\ufffd\\u0010\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7d325e1ddb30e369662260e9fe13bb1d91600d8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001$\\u0001\\u0000\\u0001 \\u0003\\u0003\ufffd\\u000fN\ufffd\ufffd\\u0004\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd \\u0016 \ufffd\\u001fA\u0027\ufffd\\u0004\\u0002\\f\\u0012\ufffdi\\f\ufffd\ufffd\\u0010\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022c216e752cae6f8755fd27f561d031636\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022$ \ufffdN\ufffd\ufffd\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd  \ufffdA\u0027\ufffd\ufffdi\ufffd\ufffd\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:9301 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 9301, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0001$\\u0001\\u0000\\u0001 \\u0003\\u0003\ufffd\\u000fN\ufffd\ufffd\\u0004\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd \\u0016 \ufffd\\u001fA\u0027\ufffd\\u0004\\u0002\\f\\u0012\ufffdi\\f\ufffd\ufffd\\u0010\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\\u0000\u003E\\u0013\\u0002\\u0013\\u0003\\u0013\\u0001\ufffd,\ufffd0\\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\\u0000\ufffd\ufffd$\ufffd(\\u0000k\ufffd#\ufffd\u0027\\u0000g\ufffd\\n\ufffd\\u0014\\u00009\ufffd\\t\ufffd\\u0013\\u00003\\u0000\ufffd\u0022, \u0022tls_ja3\u0022: \u0022c216e752cae6f8755fd27f561d031636\u0022, \u0022port\u0022: 9301, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022tls probe \u00b7 via TLS:9301 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022$ \ufffdN\ufffd\ufffd\ufffd\ufffdvp\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffd\ufffd\\tUX\ufffd\ufffd\ufffd0\ufffd  \ufffdA\u0027\ufffd\ufffdi\ufffd\ufffd\ufffdnm\u0323*\ufffd\ufffd\ufffd\ufffder\ufffd\u0455\u003E\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd\u0027g\ufffd\\n\ufffd9\ufffd\\t\ufffd3\ufffd\u0022, \u0022target_port_label\u0022: \u00229301 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229301\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022sap-diag\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":"c216e752cae6f8755fd27f561d031636","tls_ja3":"771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,11-10-35-22-23-13-43-45-51,29-23-30-25-24-256-257-258-259-260,0-1-2","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":297},{"id":9566937,"ip":"198.199.89.181","ts":"2026-06-18 09:08:34.000000","proto":"tcp","src_port":14782,"dst_port":1433,"service":"mssql","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.840078616942527, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237051d253c792a703ef86a951fdecd81bbfe50e9\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022688af0b6663b4dbc67c5be758a4108cb\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd!\\u001b \ufffd\\f$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd1\\b\ufffd@\ufffd*\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd!\\u001b \ufffd\\f$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd1\\b\ufffd@\ufffd*\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 #\ufffd\\u0001\ufffd\ufffdi\ufffd\ufffd\\u0019\ufffd\ufffd\ufffd\ufffd\\u001aP?\ufffd\ufffdi\ufffd\ufffd\ufffd.\ufffd\\t\u04deg\ufffd\\u0015-\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd!\\u001b \ufffd\\f$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd1\\b\ufffd@\ufffd*\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b94f8b8d97ce6028979200f56321e475cc0aa939\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd!\\u001b \ufffd\\f$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd1\\b\ufffd@\ufffd*\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd! \ufffd$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd@\ufffd*\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd!\\u001b \ufffd\\f$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0013\ufffd1\\b\ufffd@\ufffd*\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u06dc\ufffd}\ufffd5\ufffd\ufffd\ufffdf@2\ufffd8\ufffd\ufffd\ufffd\ufffd\ufffd:\u051aj[V\ufffdi\ufffd\ufffd! \ufffd$V\ufffd\ufffd\\t\ufffd\ufffd\ufffd\ufffd\ufffdVq\ufffd~\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd@\ufffd*\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":243},{"id":9566938,"ip":"198.199.89.181","ts":"2026-06-18 09:08:34.000000","proto":"tcp","src_port":14788,"dst_port":1433,"service":"mssql","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 47, \u0022payload_entropy\u0022: 2.4483845318297544, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 10.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022584dc8ab43572550a5af46f03637ac724e8c86c3\u0022, \u0022event_fingerprint\u0022: \u002224635733bde8ab881cad2aa5e51b4b5bf5e45e9f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ac2c96b2eda06262c797439e5301e3b7\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249193ae207fe9f920f6d1ebe575d86e8403c8fa9\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022\/ !\\\u0022\u0026\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 10.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u0000\/\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u001a\\u0000\\u0006\\u0001\\u0000 \\u0000\\u0001\\u0002\\u0000!\\u0000\\u0001\\u0003\\u0000\\\u0022\\u0000\\u0004\\u0004\\u0000\u0026\\u0000\\u0001\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/ !\\\u0022\u0026\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022mssql_probe\u0022, \u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":6,"bytes_in":47},{"id":9566940,"ip":"198.199.89.181","ts":"2026-06-18 09:08:34.000000","proto":"tcp","src_port":14804,"dst_port":1433,"service":"mssql","classification":"imap_bruteforce","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 113, \u0022payload_entropy\u0022: 4.903280269962342, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 66.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 46.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 66.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a5fede9c6ff676e6247103daeda430e40579043\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 76, \u0022precision_signals\u0022: [\u0022INT-EMAIL-imap-login\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-EMAIL-imap-login\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 66.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 41}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4f5bb46982eb86cb72862d1a5221e96\u0022, \u0022path_pattern_hash\u0022: \u0022d01bbf3f52d5029936b2dffb0f5e856f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 41}, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1110\u0022], \u0022mitre\u0022: \u0022T1110\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022708be9fd288506a9226f13d781bebe8bbdc9f303\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022attack_vector\u0022: \u0022imap bruteforce \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 41\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 66.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 46.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 41}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 41, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-EMAIL-imap-login\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Email Imap Login\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1110\u0022, \u0022mitre_technique\u0022: \u0022T1110\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022imap bruteforce \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\\r\\nHost: 62.3.50.33:1433\\r\\nUser-Agent: Go-http-client\/1.1\\r\\nConnection: close\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022, \u0022imap_probe\u0022, \u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022, \u0022imap_probe\u0022, \u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022]","anomalies":"[]","severity":6,"bytes_in":113},{"id":9566941,"ip":"198.199.89.181","ts":"2026-06-18 09:08:34.000000","proto":"tcp","src_port":14810,"dst_port":1433,"service":"mssql","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022001f00001a00060000000000000000000000000000000000000000000000000000\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.815650108118939, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022service\u0022: \u0022mssql\u0022, \u0022app_proto\u0022: \u0022mssql\u0022, \u0022asn\u0022: 14061, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1433, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 36.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002237051d253c792a703ef86a951fdecd81bbfe50e9\u0022, \u0022event_fingerprint\u0022: \u00226e104f6072c052d0dd22893d2f1fa140642f7c7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 14061, \u0022org\u0022: \u0022DigitalOcean, LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261d8461a593773e0710f761d66c66f37\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja3\u0022: \u0022771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_0f418b0e79cc_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022risk_score\u0022: 40}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd7\ufffd\ufffd\u003CFr\\u0005\\u0007\ufffd{\\u001e\\u001d,\u0409\ufffd\\u0011\ufffd7\ufffdp\ufffd\/\\u001c!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\\u0017\\u0004\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffd\\fyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd7\ufffd\ufffd\u003CFr\\u0005\\u0007\ufffd{\\u001e\\u001d,\u0409\ufffd\\u0011\ufffd7\ufffdp\ufffd\/\\u001c!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\\u0017\\u0004\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffd\\fyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\u0005\\u0004\\u0003\\u0004\\u0003\\u0003\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\\u0018J\\u001a\ufffdO\ufffdrq\ufffdpd1f1\ufffd\\u00142\ufffdM\ufffd;\ufffdz\\u0018`\ufffd\ufffd\\u001b-\u003C\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd7\ufffd\ufffd\u003CFr\\u0005\\u0007\ufffd{\\u001e\\u001d,\u0409\ufffd\\u0011\ufffd7\ufffdp\ufffd\/\\u001c!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\\u0017\\u0004\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffd\\fyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a49304f093dc8a9402c2e328dc8bc4f27d9db81d\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd7\ufffd\ufffd\u003CFr\\u0005\\u0007\ufffd{\\u001e\\u001d,\u0409\ufffd\\u0011\ufffd7\ufffdp\ufffd\/\\u001c!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\\u0017\\u0004\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffd\\fyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd\u003CFr\ufffd{,\u0409\ufffd\ufffd7\ufffdp\ufffd\/!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffdyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 36.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022, \u0022dst_port\u0022: 1433, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022mssql_tds_fr\u0022: \u0022Connexion TDS Microsoft SQL Server\u0022, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\ufffd7\ufffd\ufffd\u003CFr\\u0005\\u0007\ufffd{\\u001e\\u001d,\u0409\ufffd\\u0011\ufffd7\ufffdp\ufffd\/\\u001c!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\\u0017\\u0004\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffd\\fyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\\u0000\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\\u0013\ufffd\\n\ufffd\\u0014\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0001\\u0013\\u0002\\u0013\\u0003\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u0022d6828e30ab66774a91a96ae93be4ae4c\u0022, \u0022tls_ja4\u0022: \u0022e4d60caa902b8b84112358f96af813c3\u0022, \u0022port\u0022: 1433, \u0022service\u0022: \u0022mssql\u0022, \u0022service_label_fr\u0022: \u0022MSSQL\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd\u003CFr\ufffd{,\u0409\ufffd\ufffd7\ufffdp\ufffd\/!\ufffdB\ufffd\ufffd W\ufffd\ufffdR\ufffd\ufffd\ufffdL\ufffd\ufffdI\ufffd\ufffd\ufffdyR\ufffd\ufffdG\ufffd\/\ufffd\u0346M\ufffd\u0449\ufffd\u0026\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221433 \u00b7 MSSQL\u0022, \u0022emulator_service\u0022: \u0022mssql\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022mssql\u0022, \u0022service_banner\u0022: \u0022honeypot-mssql\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221433\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_emulated\u0022, \u0022mssql_payload\u0022, \u0022net_mssql_probe\u0022, \u0022tls_clienthello\u0022]","anomalies":"[]","severity":6,"bytes_in":243}],"total_events":28}