|
|
TCP |
10086 · TLS
|
tls
|
Sonde TLS
tls probe · via TLS:10086 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 c216e752cae6f875
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10086
Chemin / cible
—
Service
TLS
Payload
����$��� ��o�N��r����L (2wC��H��&h����pY ��-$�-Lʻ�;[���C�Yj eX%����� c,(�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����$��� ��o�N��r����L
(2wC��H��&h����pY ��-$�-Lʻ�;[���C�Yj eX%������c,(�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
����$��� ��o�N��r����L (2wC��H��&h����pY ��-$�-Lʻ�;[���C�Yj eX%����� c,(�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/������� ������� �������������������������#����������� �*�(����������� � � �������������������������+� ����������-����
Meta JSON brut
{
"tls_ja3_hash": "c216e752cae6f8755fd27f561d031636",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 8,
"bytes_in": 297,
"payload_entropy": 5.751158611073904,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "tls",
"app_proto": "tls",
"asn": 14061,
"country": "US",
"dst_port": 10086,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "71c60695b3b210ad125df18bcc802696afcf87c3",
"event_fingerprint": "6d91b8b1497b457c73f9c365e02a7002f01dc565",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "c216e752cae6f8755fd27f561d031636",
"payload_hash": "3daed1bd158f5759ddd91fd2bce82219",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 10086,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003o\u001cN\ufffd\ufffdr\ufffd\b\u0600\ufffd\u0018L\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\u001a\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\u001d\ufffd\ufffd\ufffd\ufffd\u000bc,(\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003o\u001cN\ufffd\ufffdr\ufffd\b\u0600\ufffd\u0018L\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\u001a\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\u001d\ufffd\ufffd\ufffd\ufffd\u000bc,(\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0000\ufffd\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003o\u001cN\ufffd\ufffdr\ufffd\b\u0600\ufffd\u0018L\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\u001a\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\u001d\ufffd\ufffd\ufffd\ufffd\u000bc,(\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26233221822f61578483a82ef144cb9b41c1a69c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003o\u001cN\ufffd\ufffdr\ufffd\b\u0600\ufffd\u0018L\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\u001a\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\u001d\ufffd\ufffd\ufffd\ufffd\u000bc,(\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "c216e752cae6f8755fd27f561d031636",
"port": 10086,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "$ oN\ufffd\ufffdr\ufffd\u0600\ufffdL\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\ufffd\ufffd\ufffd\ufffdc,(>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:10086 \u00b7 (sonde \/ probe)",
"target_port_label": "10086 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10086,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003o\u001cN\ufffd\ufffdr\ufffd\b\u0600\ufffd\u0018L\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\u001a\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\u001d\ufffd\ufffd\ufffd\ufffd\u000bc,(\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "c216e752cae6f8755fd27f561d031636",
"port": 10086,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:10086 \u00b7 (sonde \/ probe)",
"evidence_snippet": "$ oN\ufffd\ufffdr\ufffd\u0600\ufffdL\r(2wC\ufffd\ufffdH\ufffd\ufffd&h\ufffd\ufffd\ufffdpY \ufffd\ufffd-$\ufffd-L\u02bb\ufffd;[\ufffd\ufffd\ufffdC\ufffdYj eX%\ufffd\ufffd\ufffd\ufffdc,(>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "10086 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"sap-diag",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10086 · SAP Diag
|
sap-diag
|
Sonde SAP Diag/GUI
Sonde SAP Diag/GUI · via SAP Diag:10086 · (sonde / probe)
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SAP-DIAG
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_sap_diag_probe
sap_diag_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10086
Chemin / cible
—
Service
SAP Diag
Payload
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1 Host: 62.3.50.33:10086 User-Agent: Go-http-client/1.1 Connection: close
Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 3 signal(aux) capteur
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1
Host: 62.3.50.33:10086
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"bytes_in": 117,
"payload_entropy": 5.2542876183083385,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "sap-diag",
"app_proto": "sap-diag",
"asn": 14061,
"country": "US",
"dst_port": 10086,
"risk_waf": 8,
"risk_classification": 62,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 48,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "453a1d7a11154931fa7426943beecf19ebd2a189",
"event_fingerprint": "5e2608b2b5892a735657b200e3835c1d94ce96c5",
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "sap-diag",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c050e106e98d6d2ba20cc37a37e162dd",
"path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87"
},
"target_context": {
"dst_port": 10086,
"service": "sap-diag",
"service_name": "sap-diag",
"risk_score": 24
},
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b0767957e3c732ea1bbb4ec03761fff57b7fb8b3",
"protocol_details": {
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 10086,
"service": "sap-diag",
"service_label_fr": "SAP Diag"
},
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:10086 \u00b7 (sonde \/ probe)",
"target_port_label": "10086 \u00b7 SAP Diag",
"emulator_service": "sap-diag",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 48,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "sap-diag",
"service_label_fr": "SAP Diag",
"dst_port": 10086,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-sap-diag",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 10086,
"service": "sap-diag",
"service_label_fr": "SAP Diag"
},
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via SAP Diag:10086 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "10086 \u00b7 SAP Diag",
"emulator_service": "sap-diag",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "sap_diag",
"service_banner": "honeypot-sap-diag",
"service_os": "linux",
"dst_port": "10086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_sap_diag_probe",
"sap_diag_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10086 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:10086 · (tentative d'exploit) · → /v2/_catalog
|
Élevée
|
Moyen · 50
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET /v2/_catalog UA Go-http-client/1.1
Émulateur
HTTP
WAF
14
Recommandation
Investiguer
Tags
950316:lfi-14
950468:nosqli-3
http_probe_registry
http_ua_suspicious
Cible HTTP
GET
/v2/_catalog
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10086
Chemin / cible
/v2/_catalog
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 50
Confiance : Confiance 59 % — 2 tag(s) WAF
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v2/_catalog HTTP/1.1
User-Agent
Go-http-client/1.1
Règles WAF
lfi-14
nosqli-3
Payload (extrait)
GET /v2/_catalog HTTP/1.1
Host: 62.3.50.33:10086
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": null,
"http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2",
"http_host_hash": "94eee6682281767a650397a64731a1855e069a99",
"http_target_hash": "0a123e4bf77be2af9aa43488b1d007835b4ab56c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 104,
"payload_entropy": 4.941227527826012,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "http",
"app_proto": "http",
"asn": 14061,
"country": "US",
"dst_port": 10086,
"risk_waf": 64,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15
},
"risk_score": 50,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5b3dfc182459085ce7fa5114c1f664f4a6c6580b",
"event_fingerprint": "05f18399e4bfa85a1b9e28111b8d0bbfef7bd6c8",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"confidence_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1",
"payload_hash": "5f01da108d2584e765528c46ba252b67",
"path_pattern_hash": "e619279e9365734b3a57aa3a63edbea8"
},
"target_context": {
"dst_port": 10086,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/v2\/_catalog",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950316:lfi-14",
"950468:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"nosqli-3"
],
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/v2\/_catalog",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950316:lfi-14",
"950468:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"nosqli-3"
],
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6be95418a1f0e2b4fd75ce9082096f8ca1249954",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/_catalog",
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 10086,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "lfi path traversal \u00b7 via HTTP:10086 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/_catalog",
"target_port_label": "10086 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 15,
"risk_score": 50,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10086,
"protocol_emulated": null,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/_catalog",
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 10086,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:10086 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/_catalog",
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "10086 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 64 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"sap-diag"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950468:nosqli-3",
"http_probe_registry",
"http_ua_suspicious"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
10086 · HTTP
|
http
|
SSRF
ssrf attack · via HTTP:10086 · (tentative d'exploit)
|
Élevée
|
Moyen · 62
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET / UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Émulateur
HTTP
WAF
22
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10086
Chemin / cible
/
Pourquoi cette classification : Règle WAF « ssrf-3 » · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 62
Confiance : Confiance 50 % — 4 tag(s) WAF
Signaux
Upstream
Waf Score
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Règles WAF
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10086
User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Accept: */*
Acce
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10086 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c",
"http_host_hash": "94eee6682281767a650397a64731a1855e069a99",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 149,
"payload_entropy": 5.1250317965862155,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "http",
"app_proto": "http",
"asn": 14061,
"country": "US",
"dst_port": 10086,
"risk_waf": 96,
"risk_classification": 84,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15
},
"risk_score": 62,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f61f2f6ef26e5bb6eef609f2f880dee0967c080d",
"event_fingerprint": "dda1d750bc4bc111c8711b0976928dffdd98cc9a",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 55,
"precision_signals": [
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 62,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f",
"payload_hash": "b4e51c06d86e090ada6a5fb731c0d5ff",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10086,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"ssrf_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eab1f9aaa11d335f40828f728a4f04506dada672",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"port": 10086,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"attack_vector": "ssrf attack \u00b7 via HTTP:10086 \u00b7 (tentative d'exploit)",
"target_port_label": "10086 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 58 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 25,
"novelty": 15,
"risk_score": 62,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10086,
"protocol_emulated": null,
"tags_summary": [
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"port": 10086,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "ssrf attack \u00b7 via HTTP:10086 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10086\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"target_port_label": "10086 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"sap-diag"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
10086 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:10086 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 1b9bb541fa237aff SNI 62.3.50.33
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_sni_ip
tls_weak_cipher
Cible HTTP
—
TLS SNI
62.3.50.33
Capteur
paris-1
|
Méthode
—
Port
10086
Chemin / cible
—
Service
TLS
SNI TLS
62.3.50.33
Payload
�����������+l"������D�\�cU�d�%�]���7�{"�'��P�/�+������� ��� ���/�5��� �$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������+l"������D�\�cU�d�%�]���7�{"�'��P�/�+������� ���
���/�5���
�$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0�������
Requête brute (extrait)
�����������+l"������D�\�cU�d�%�]���7�{"�'��P�/�+������� ��� ���/�5��� �$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0���������G����� �� 62.3.50.33���������� ����������� ����� ����������������������
Meta JSON brut
{
"tls_ja3_hash": "1b9bb541fa237aff65acf838b154df7f",
"tls_sni": "62.3.50.33",
"tls_weak_cipher": true,
"tls_weak_cipher_count": 19,
"bytes_in": 201,
"payload_entropy": 5.0558242172034955,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "tls",
"app_proto": "tls",
"asn": 14061,
"country": "US",
"dst_port": 10086,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8da94a12c35907c75559646e3e5cb2c92f11ad9a",
"event_fingerprint": "f8631c0e61d45635970bf0fb79f42ec4b9385e62",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "1b9bb541fa237aff65acf838b154df7f",
"payload_hash": "8d8104c950b1684d25c6ff368b851926",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_version": "0x0303",
"tls_cipher_count": 40,
"tls_sni": "62.3.50.33",
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49160-158-157-156-49192-49191-52393-52392-52394-107-103-57-51-22-61-60-4-20-159-21-49196-49200-8-6-3,0-5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_ja4": "t13d0140_c79c1c2c7c3c_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 40,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10086,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003+l\"\ufffd\ufffd\ufffd\ufffd\ufffd\u0001D\ufffd\\\ufffdcU\ufffdd\u0007%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003+l\"\ufffd\ufffd\ufffd\ufffd\ufffd\u0001D\ufffd\\\ufffdcU\ufffdd\u0007%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000\u0000G\u0000\u0000\u0000\u000f\u0000\r\u0000\u0000\n62.3.50.33\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003+l\"\ufffd\ufffd\ufffd\ufffd\ufffd\u0001D\ufffd\\\ufffdcU\ufffdd\u0007%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f260d19968a5e659ee63417b270375aa0df7032d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003+l\"\ufffd\ufffd\ufffd\ufffd\ufffd\u0001D\ufffd\\\ufffdcU\ufffdd\u0007%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"tls_ja3": "1b9bb541fa237aff65acf838b154df7f",
"tls_ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_sni": "62.3.50.33",
"port": 10086,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd+l\"\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd\\\ufffdcU\ufffdd%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'P\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd'\u0329\u0328\u032akg93=<\ufffd\ufffd,\ufffd0",
"attack_vector": "postgres probe \u00b7 via TLS:10086 \u00b7 (sonde \/ probe)",
"target_port_label": "10086 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10086,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003+l\"\ufffd\ufffd\ufffd\ufffd\ufffd\u0001D\ufffd\\\ufffdcU\ufffdd\u0007%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"tls_ja3": "1b9bb541fa237aff65acf838b154df7f",
"tls_ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_sni": "62.3.50.33",
"port": 10086,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:10086 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd+l\"\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd\\\ufffdcU\ufffdd%\ufffd]\ufffd\ufffd\ufffd7\ufffd{\"\ufffd'P\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd'\u0329\u0328\u032akg93=<\ufffd\ufffd,\ufffd0",
"target_port_label": "10086 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"sap-diag",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_sni_ip",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27018 · MONGODB SHARD
|
mongodb-shard
|
imap bruteforce
imap bruteforce · via MONGODB SHARD:27018 · (sonde / probe)
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
MONGODB-SHARD
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
imap_probe
mongodb_shard_emulated
mongodb_shard_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27018
Chemin / cible
—
Service
MONGODB SHARD
Payload
GET /cgi-bin/authLogin.cgi HTTP/1.1 Host: 62.3.50.33:27018 User-Agent: Go-http-client/1.1 Connection: close
Pourquoi cette classification : Type « imap_bruteforce » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 41
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Email Imap Login
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 62.3.50.33:27018
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 114,
"payload_entropy": 4.957847915262123,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-shard",
"app_proto": "mongodb-shard",
"asn": 14061,
"country": "US",
"dst_port": 27018,
"risk_waf": 8,
"risk_classification": 66,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 41,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "061d6b4be94d95bf8a7fd45aefa9569edac83620",
"event_fingerprint": "55615ed1096b55cc75e4676979dfeb7757337b99",
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 76,
"precision_signals": [
"INT-EMAIL-imap-login"
],
"kb_rule_ids": [
"INT-EMAIL-imap-login"
],
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 41
},
"named_classification_skipped": false,
"service_name": "mongodb-shard",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a0f1effcdb14ef9e69d3083d7dabf313",
"path_pattern_hash": "d01bbf3f52d5029936b2dffb0f5e856f"
},
"target_context": {
"dst_port": 27018,
"service": "mongodb-shard",
"service_name": "mongodb-shard",
"risk_score": 41
},
"payload_preview": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"request_sample": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fb16e6198e59d496ba69669e3b84fa86c6c6287c",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"evidence_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "imap bruteforce \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab imap_bruteforce \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 66,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "mongodb-shard",
"service_label_fr": "MONGODB SHARD",
"dst_port": 27018,
"protocol_emulated": true,
"tags_summary": [
"INT-EMAIL-imap-login"
],
"tags_summary_labels_fr": [
"Email Imap Login"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-shard",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"attack_vector": "imap bruteforce \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:27018\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_shard",
"service_banner": "honeypot-mongodb-shard",
"service_os": "linux",
"dst_port": "27018"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"imap_probe",
"mongodb_shard_emulated",
"mongodb_shard_payload",
"net_mongodb_shard_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27018 · MONGODB SHARD
|
mongodb-shard
|
mongodb shard probe
mongodb shard probe · via MONGODB SHARD:27018 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 d6828e30ab66774a
Émulateur
MONGODB-SHARD
WAF
—
Recommandation
Surveiller
Tags
mongodb_shard_emulated
mongodb_shard_payload
net_mongodb_shard_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27018
Chemin / cible
—
Service
MONGODB SHARD
Payload
�����������}�\�g$���?R&�X�L��Skkɢ�X!떱�� y�6�w�j8�q5\�$���A�J�'��r���x���&�+�/�,�0̨̩� ��� �������/�5��� ���������{��������
Pourquoi cette classification : Type « mongodb_shard_probe » (signaux protocolaires) · confiance 64%
Confiance classification
64%
Risque capteur
Moyen
· 45
Confiance : Confiance 64 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Mongo Shard
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������}�\�g$���?R&�X�L��Skkɢ�X!떱�� y�6�w�j8�q5\�$���A�J�'��r���x���&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
�����������}�\�g$���?R&�X�L��Skkɢ�X!떱�� y�6�w�j8�q5\�$���A�J�'��r���x���&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ������������������������������������������+��������3�&�$��� jX��6 i��y�t8��ܠ�m�S:�u�Q���j\I
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 243,
"payload_entropy": 5.8021172430972205,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-shard",
"app_proto": "mongodb-shard",
"asn": 14061,
"country": "US",
"dst_port": 27018,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "643e3aa2f37bd345e541ed726975a5b870d81f15",
"event_fingerprint": "55615ed1096b55cc75e4676979dfeb7757337b99",
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"confidence": 0.64,
"classification_confidence": 0.64,
"precision_score": 71,
"precision_signals": [
"INT-mongo-shard",
"INT-upstream"
],
"kb_rule_ids": [
"INT-mongo-shard",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "mongodb-shard",
"risk_confidence_factor": 64,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1eb9c220cb5d4e9565c1e756896bf254",
"path_pattern_hash": "19fbd5bc76140ff01438974534217dd2",
"ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"ja4": "e4d60caa902b8b84112358f96af813c3",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3",
"tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 27018,
"service": "mongodb-shard",
"service_name": "mongodb-shard",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262\u0003X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdw\u0015j8\u0005q5\\\ufffd$\ufffd\ufffd\u001eA\ufffdJ\ufffd'\ufffd\ufffdr\ufffd\u001b\u0007x\u0017\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262\u0003X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdw\u0015j8\u0005q5\\\ufffd$\ufffd\ufffd\u001eA\ufffdJ\ufffd'\ufffd\ufffdr\ufffd\u001b\u0007x\u0017\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 jX\ufffd\ufffd6 i\ufffd\ufffdy\u0016t8\ufffd\u0005\u0720\u0017m\ufffdS:\ufffdu\ufffdQ\u0002\ufffd\ufffdj\\I",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262\u0003X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdw\u0015j8\u0005q5\\\ufffd$\ufffd\ufffd\u001eA\ufffdJ\ufffd'\ufffd\ufffdr\ufffd\u001b\u0007x\u0017\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b2cd657875b57c771704c9cc978186f26dc41eb4",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262\u0003X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdw\u0015j8\u0005q5\\\ufffd$\ufffd\ufffd\u001eA\ufffdJ\ufffd'\ufffd\ufffdr\ufffd\u001b\u0007x\u0017\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"evidence_snippet": "\ufffd\ufffd}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdwj8q5\\\ufffd$\ufffd\ufffdA\ufffdJ\ufffd'\ufffd\ufffdr\ufffdx\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "mongodb shard probe \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 64 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"classification_reason_label_fr": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 64,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "mongodb-shard",
"service_label_fr": "MONGODB SHARD",
"dst_port": 27018,
"protocol_emulated": true,
"tags_summary": [
"INT-mongo-shard",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Mongo Shard",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-shard",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262\u0003X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdw\u0015j8\u0005q5\\\ufffd$\ufffd\ufffd\u001eA\ufffdJ\ufffd'\ufffd\ufffdr\ufffd\u001b\u0007x\u0017\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"attack_vector": "mongodb shard probe \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd}\ufffd\\\ufffdg$\ufffd\ufffd\ufffd?R&\ufffdX\ufffdL\ufffd\ufffdSkk\u0262X!\ub5b1\ufffd\ufffd y\ufffd6\ufffdwj8q5\\\ufffd$\ufffd\ufffdA\ufffdJ\ufffd'\ufffd\ufffdr\ufffdx\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 64 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 64 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_shard",
"service_banner": "honeypot-mongodb-shard",
"service_os": "linux",
"dst_port": "27018"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_shard_emulated",
"mongodb_shard_payload",
"net_mongodb_shard_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27018 · MONGODB SHARD
|
mongodb-shard
|
mongodb shard probe
mongodb shard probe · via MONGODB SHARD:27018 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 d6828e30ab66774a
Émulateur
MONGODB-SHARD
WAF
—
Recommandation
Surveiller
Tags
mongodb_shard_emulated
mongodb_shard_payload
net_mongodb_shard_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27018
Chemin / cible
—
Service
MONGODB SHARD
Payload
�������������� ��VD���(��[ա��&l��R�a4���vD Ap��u���:^Q��:�s�P���8cjx@�B�r���&�+�/�,�0̨̩� ��� �������/�5��� ���������{��������
Pourquoi cette classification : Type « mongodb_shard_probe » (signaux protocolaires) · confiance 64%
Confiance classification
64%
Risque capteur
Moyen
· 45
Confiance : Confiance 64 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Mongo Shard
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������� ��VD���(��[ա��&l��R�a4���vD Ap��u���:^Q��:�s�P���8cjx@�B�r���&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
�������������� ��VD���(��[ա��&l��R�a4���vD Ap��u���:^Q��:�s�P���8cjx@�B�r���&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ������������������������������������������+��������3�&�$��� ٌ_���t�gח��.���y���S755�M�ů�b
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 243,
"payload_entropy": 5.897448655211883,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-shard",
"app_proto": "mongodb-shard",
"asn": 14061,
"country": "US",
"dst_port": 27018,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "643e3aa2f37bd345e541ed726975a5b870d81f15",
"event_fingerprint": "55615ed1096b55cc75e4676979dfeb7757337b99",
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"confidence": 0.64,
"classification_confidence": 0.64,
"precision_score": 71,
"precision_signals": [
"INT-mongo-shard",
"INT-upstream"
],
"kb_rule_ids": [
"INT-mongo-shard",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "mongodb-shard",
"risk_confidence_factor": 64,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7e4f0f288b864e1583cd73bd006d4c41",
"path_pattern_hash": "19fbd5bc76140ff01438974534217dd2",
"ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"ja4": "e4d60caa902b8b84112358f96af813c3",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3",
"tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 27018,
"service": "mongodb-shard",
"service_name": "mongodb-shard",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd\u0004(\ufffd\ufffd[\u0561\u001b\ufffd&l\ufffd\u0014R\ufffda4\ufffd\ufffd\u0017vD Ap\ufffd\u0018u\u001f\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@\u0015B\ufffdr\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd\u0004(\ufffd\ufffd[\u0561\u001b\ufffd&l\ufffd\u0014R\ufffda4\ufffd\ufffd\u0017vD Ap\ufffd\u0018u\u001f\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@\u0015B\ufffdr\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u064c_\ufffd\ufffd\ufffdt\ufffdg\u05d7\ufffd\ufffd.\ufffd\ufffd\ufffdy\ufffd\ufffd\ufffdS755\ufffdM\u0012\u016f\ufffdb",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd\u0004(\ufffd\ufffd[\u0561\u001b\ufffd&l\ufffd\u0014R\ufffda4\ufffd\ufffd\u0017vD Ap\ufffd\u0018u\u001f\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@\u0015B\ufffdr\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bbb5b7878f6386e571376bd64aceff343e8edfaa",
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd\u0004(\ufffd\ufffd[\u0561\u001b\ufffd&l\ufffd\u0014R\ufffda4\ufffd\ufffd\u0017vD Ap\ufffd\u0018u\u001f\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@\u0015B\ufffdr\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd(\ufffd\ufffd[\u0561\ufffd&l\ufffdR\ufffda4\ufffd\ufffdvD Ap\ufffdu\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@B\ufffdr\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "mongodb shard probe \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 64 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"classification_reason_label_fr": "Type \u00ab mongodb_shard_probe \u00bb (signaux protocolaires) \u00b7 confiance 64%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 64,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "mongodb-shard",
"service_label_fr": "MONGODB SHARD",
"dst_port": 27018,
"protocol_emulated": true,
"tags_summary": [
"INT-mongo-shard",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Mongo Shard",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-shard",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd\u0004(\ufffd\ufffd[\u0561\u001b\ufffd&l\ufffd\u0014R\ufffda4\ufffd\ufffd\u0017vD Ap\ufffd\u0018u\u001f\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@\u0015B\ufffdr\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 27018,
"service": "mongodb-shard",
"service_label_fr": "MONGODB SHARD"
},
"attack_vector": "mongodb shard probe \u00b7 via MONGODB SHARD:27018 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdVD\ufffd\ufffd(\ufffd\ufffd[\u0561\ufffd&l\ufffdR\ufffda4\ufffd\ufffdvD Ap\ufffdu\ufffd\ufffd:^Q\ufffd\ufffd:\ufffds\ufffdP\ufffd\ufffd\ufffd8cjx@B\ufffdr\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "27018 \u00b7 MONGODB SHARD",
"emulator_service": "mongodb-shard",
"confidence_reason": "Confiance 64 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 64 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_shard",
"service_banner": "honeypot-mongodb-shard",
"service_os": "linux",
"dst_port": "27018"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_shard_emulated",
"mongodb_shard_payload",
"net_mongodb_shard_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27019 · MONGODB CONFIG
|
mongodb-config
|
mongodb-config
mongodb-config · via MONGODB CONFIG:27019 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
MONGODB-CONFIG
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27019
Chemin / cible
—
Service
MONGODB CONFIG
Payload
����$��� ��R��9�.����,w��/�����_���j @����P 1�?�/ ��}�^g��"[���C��T�V̧>�y ��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « mongodb-config » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����$��� ��R��9�.����,w��/�����_���j�@����P 1�?�/���}�^g��"[���C��T�V̧>�y
��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
����$��� ��R��9�.����,w��/�����_���j @����P 1�?�/ ��}�^g��"[���C��T�V̧>�y ��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/������� ������� �������������������������#����������� �*�(����������� � � �������������������������+� ����������-����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 297,
"payload_entropy": 5.764253803505747,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-config",
"app_proto": "mongodb-config",
"asn": 14061,
"country": "US",
"dst_port": 27019,
"risk_waf": 8,
"risk_classification": 24,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 8,
"classification": 24,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "0b4a20a426e361956c8242dc78caf8f73f9ffd36",
"event_fingerprint": "36841e4a8048e5c9be2652fb65ea4640a837374d",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab mongodb-config \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 24,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"service_name": "mongodb-config",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f038709b1f879afabb28d2b743b30d2f",
"path_pattern_hash": "f1efe8d5cee1216cc4e89a2b272a7920"
},
"target_context": {
"dst_port": 27019,
"service": "mongodb-config",
"service_name": "mongodb-config",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003R\ufffd\u00019\u001c.\ufffd\ufffd\u0003\ufffd,w\u0005\ufffd\/\ufffd\ufffd\ufffd\u000e\ufffd_\ufffd\ufffd\ufffdj\u000b@\ufffd\ufffd\u0018\ufffdP 1\ufffd?\ufffd\/\f\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffd\u001aC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003R\ufffd\u00019\u001c.\ufffd\ufffd\u0003\ufffd,w\u0005\ufffd\/\ufffd\ufffd\ufffd\u000e\ufffd_\ufffd\ufffd\ufffdj\u000b@\ufffd\ufffd\u0018\ufffdP 1\ufffd?\ufffd\/\f\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffd\u001aC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0000\ufffd\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003R\ufffd\u00019\u001c.\ufffd\ufffd\u0003\ufffd,w\u0005\ufffd\/\ufffd\ufffd\ufffd\u000e\ufffd_\ufffd\ufffd\ufffdj\u000b@\ufffd\ufffd\u0018\ufffdP 1\ufffd?\ufffd\/\f\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffd\u001aC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab mongodb-config \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5677cdd7c94a838babc60882e2e05f9d8af65ad",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003R\ufffd\u00019\u001c.\ufffd\ufffd\u0003\ufffd,w\u0005\ufffd\/\ufffd\ufffd\ufffd\u000e\ufffd_\ufffd\ufffd\ufffdj\u000b@\ufffd\ufffd\u0018\ufffdP 1\ufffd?\ufffd\/\f\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffd\u001aC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"evidence_snippet": "$ R\ufffd9.\ufffd\ufffd\ufffd,w\ufffd\/\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdj@\ufffd\ufffd\ufffdP 1\ufffd?\ufffd\/\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffdC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "mongodb-config \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb-config \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab mongodb-config \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 24,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "mongodb-config",
"service_label_fr": "MONGODB CONFIG",
"dst_port": 27019,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-config",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003R\ufffd\u00019\u001c.\ufffd\ufffd\u0003\ufffd,w\u0005\ufffd\/\ufffd\ufffd\ufffd\u000e\ufffd_\ufffd\ufffd\ufffdj\u000b@\ufffd\ufffd\u0018\ufffdP 1\ufffd?\ufffd\/\f\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffd\u001aC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"attack_vector": "mongodb-config \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"evidence_snippet": "$ R\ufffd9.\ufffd\ufffd\ufffd,w\ufffd\/\ufffd\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffdj@\ufffd\ufffd\ufffdP 1\ufffd?\ufffd\/\ufffd\ufffd}\ufffd^g\ufffd\ufffd\"[\ufffd\ufffdC\ufffd\ufffdT\ufffdV\u0327>\ufffdy\r\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_config",
"service_banner": "honeypot-mongodb-config",
"service_os": "linux",
"dst_port": "27019"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27019 · MONGODB CONFIG
|
mongodb-config
|
Sonde PostgreSQL
postgres probe · via MONGODB CONFIG:27019 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 1b9bb541fa237aff SNI 62.3.50.33
Émulateur
MONGODB-CONFIG
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27019
Chemin / cible
—
Service
MONGODB CONFIG
SNI TLS
62.3.50.33
Payload
������������^Cɓ���N=���G���{��>vB�c�'�C���P�/�+������� ��� ���/�5��� �$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������^Cɓ���N=���G���{��>vB�c�'�C���P�/�+������� ���
���/�5���
�$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0�������
Requête brute (extrait)
������������^Cɓ���N=���G���{��>vB�c�'�C���P�/�+������� ��� ���/�5��� �$�#���������(�'̨̩̪�k�g�9�3���=�<���������,�0���������G����� �� 62.3.50.33���������� ����������� ����� ����������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 201,
"payload_entropy": 4.984358903887076,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-config",
"app_proto": "mongodb-config",
"asn": 14061,
"country": "US",
"dst_port": 27019,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "0b4a20a426e361956c8242dc78caf8f73f9ffd36",
"event_fingerprint": "36841e4a8048e5c9be2652fb65ea4640a837374d",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "mongodb-config",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "97e4fcf51d6d0a751d7e5e66f9fbc174",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "1b9bb541fa237aff65acf838b154df7f",
"ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_version": "0x0303",
"tls_cipher_count": 40,
"tls_sni": "62.3.50.33",
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "1b9bb541fa237aff65acf838b154df7f",
"tls_ja3": "771,49199-49195-49169-49159-49171-49161-49172-49162-5-47-53-49170-10-49188-49187-49160-158-157-156-49192-49191-52393-52392-52394-107-103-57-51-22-61-60-4-20-159-21-49196-49200-8-6-3,0-5-10-11-13-65281,23-24-25,0",
"tls_ja4_hash": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_ja4": "t13d0140_c79c1c2c7c3c_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 40,
"tls_sni": "62.3.50.33",
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 27019,
"service": "mongodb-config",
"service_name": "mongodb-config",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005^C\u0253\ufffd\ufffd\ufffdN=\ufffd\u0001\ufffdG\u0012\ufffd\u0017{\u0014\ufffd>vB\ufffdc\ufffd'\u0010C\ufffd\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005^C\u0253\ufffd\ufffd\ufffdN=\ufffd\u0001\ufffdG\u0012\ufffd\u0017{\u0014\ufffd>vB\ufffdc\ufffd'\u0010C\ufffd\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000\u0000G\u0000\u0000\u0000\u000f\u0000\r\u0000\u0000\n62.3.50.33\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u0010\u0000\u000e\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0004\u0001\u0005\u0001\u0006\u0001\ufffd\u0001\u0000\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005^C\u0253\ufffd\ufffd\ufffdN=\ufffd\u0001\ufffdG\u0012\ufffd\u0017{\u0014\ufffd>vB\ufffdc\ufffd'\u0010C\ufffd\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "145893f011907f76ef483b91b17a6dc223d163cb",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005^C\u0253\ufffd\ufffd\ufffdN=\ufffd\u0001\ufffdG\u0012\ufffd\u0017{\u0014\ufffd>vB\ufffdc\ufffd'\u0010C\ufffd\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"tls_ja3": "1b9bb541fa237aff65acf838b154df7f",
"tls_ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_sni": "62.3.50.33",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"evidence_snippet": "\ufffd\ufffd^C\u0253\ufffd\ufffd\ufffdN=\ufffd\ufffdG\ufffd{\ufffd>vB\ufffdc\ufffd'C\ufffdP\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd'\u0329\u0328\u032akg93=<\ufffd\ufffd,\ufffd0",
"attack_vector": "postgres probe \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "mongodb-config",
"service_label_fr": "MONGODB CONFIG",
"dst_port": 27019,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-config",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005^C\u0253\ufffd\ufffd\ufffdN=\ufffd\u0001\ufffdG\u0012\ufffd\u0017{\u0014\ufffd>vB\ufffdc\ufffd'\u0010C\ufffd\u0000\u0000P\ufffd\/\ufffd+\ufffd\u0011\ufffd\u0007\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\u0005\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd$\ufffd#\ufffd\b\u0000\ufffd\u0000\ufffd\u0000\ufffd\ufffd(\ufffd'\u0329\u0328\u032a\u0000k\u0000g\u00009\u00003\u0000\u0016\u0000=\u0000<\u0000\u0004\u0000\u0014\u0000\ufffd\u0000\u0015\ufffd,\ufffd0\u0000\b\u0000\u0006\u0000\u0003\u0001\u0000",
"tls_ja3": "1b9bb541fa237aff65acf838b154df7f",
"tls_ja4": "7d55a26b02c27f625ff34bc84f8ab649",
"tls_sni": "62.3.50.33",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"attack_vector": "postgres probe \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd^C\u0253\ufffd\ufffd\ufffdN=\ufffd\ufffdG\ufffd{\ufffd>vB\ufffdc\ufffd'C\ufffdP\ufffd\/\ufffd+\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd\n\/5\ufffd\n\ufffd$\ufffd#\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd'\u0329\u0328\u032akg93=<\ufffd\ufffd,\ufffd0",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_config",
"service_banner": "honeypot-mongodb-config",
"service_os": "linux",
"dst_port": "27019"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27019 · MONGODB CONFIG
|
mongodb-config
|
Sonde SAP Diag/GUI
Sonde SAP Diag/GUI · via MONGODB CONFIG:27019 · (sonde / probe)
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
MONGODB-CONFIG
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_sap_diag_probe
sap_diag_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27019
Chemin / cible
—
Service
MONGODB CONFIG
Payload
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1 Host: 62.3.50.33:27019 User-Agent: Go-http-client/1.1 Connection: close
Pourquoi cette classification : Connexion SAP Diag/GUI · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1
Host: 62.3.50.33:27019
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 117,
"payload_entropy": 5.277833665335376,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-config",
"app_proto": "mongodb-config",
"asn": 14061,
"country": "US",
"dst_port": 27019,
"risk_waf": 8,
"risk_classification": 62,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "fa7e00eeb4027a92b388c5335d69dfcd58c1f651",
"event_fingerprint": "eb6df866b746b0c40d97cdb7153a0054c2df510b",
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "mongodb-config",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1daa7602e2ccb8236bc03d6125f54ac3",
"path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87"
},
"target_context": {
"dst_port": 27019,
"service": "mongodb-config",
"service_name": "mongodb-config",
"risk_score": 24
},
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e26de3b1492deec20600d33e9779e45c5d3a4bf4",
"protocol_details": {
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"classification_reason_label_fr": "Connexion SAP Diag\/GUI \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "mongodb-config",
"service_label_fr": "MONGODB CONFIG",
"dst_port": 27019,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-config",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_config",
"service_banner": "honeypot-mongodb-config",
"service_os": "linux",
"dst_port": "27019"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_sap_diag_probe",
"sap_diag_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27019 · MONGODB CONFIG
|
mongodb-config
|
Sonde Elasticsearch
elasticsearch probe · via MONGODB CONFIG:27019 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
MONGODB-CONFIG
WAF
—
Recommandation
Surveiller
Tags
elastic_probe
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27019
Chemin / cible
—
Service
MONGODB CONFIG
Payload
GET /v2/_catalog HTTP/1.1 Host: 62.3.50.33:27019 User-Agent: Go-http-client/1.1 Connection: close
Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 56%
Confiance classification
56%
Risque capteur
Faible
· 33
Confiance : Confiance 56 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Infra Elastic Cat
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /v2/_catalog HTTP/1.1
Host: 62.3.50.33:27019
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 104,
"payload_entropy": 4.96045829705678,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-config",
"app_proto": "mongodb-config",
"asn": 14061,
"country": "US",
"dst_port": 27019,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 32,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "0ed48d448c628485c237fa33dc4d6f8d922c8cab",
"event_fingerprint": "36841e4a8048e5c9be2652fb65ea4640a837374d",
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 56%",
"confidence": 0.56,
"classification_confidence": 0.56,
"precision_score": 66,
"precision_signals": [
"INT-INFRA-elastic-cat"
],
"kb_rule_ids": [
"INT-INFRA-elastic-cat"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "mongodb-config",
"risk_confidence_factor": 56,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "cfc444d3c3d24fa3cdb2e1059835448b",
"path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd"
},
"target_context": {
"dst_port": 27019,
"service": "mongodb-config",
"service_name": "mongodb-config",
"risk_score": 33
},
"payload_preview": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 56%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba0b54cab9e0b80a1889d2f929d20d9fa620cbf0",
"protocol_details": {
"payload_preview": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "elasticsearch probe \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 56 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 56%",
"classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 56%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 56,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 32,
"novelty": 15,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "mongodb-config",
"service_label_fr": "MONGODB CONFIG",
"dst_port": 27019,
"protocol_emulated": true,
"tags_summary": [
"INT-INFRA-elastic-cat"
],
"tags_summary_labels_fr": [
"Infra Elastic Cat"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-config",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"attack_vector": "elasticsearch probe \u00b7 via MONGODB CONFIG:27019 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 56 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 56 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_config",
"service_banner": "honeypot-mongodb-config",
"service_os": "linux",
"dst_port": "27019"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"elastic_probe",
"http_get_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
27019 · MONGODB CONFIG
|
mongodb-config
|
Botnet Mozi
mozi pattern · via MONGODB CONFIG:27019 · (commande & contrôle)
|
Élevée
|
Moyen · 42
|
|
Étape
Commande & contrôle
Chaîne
Commande & contrôle
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0011
TA0011
Protocole
Émulateur
MONGODB-CONFIG
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mozi_pattern
net_mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
27019
Chemin / cible
—
Service
MONGODB CONFIG
Payload
GET / HTTP/1.1 Host: 62.3.50.33:27019 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Accept: */* Acce
Pourquoi cette classification : Type « mozi_pattern » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Moyen
· 42
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0011
Tactiques MITRE
TA0011
Motifs de détection (base)
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:27019
User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Accept: */*
Acce
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:27019 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00",
"emulator_response_len": 62,
"bytes_in": 149,
"payload_entropy": 5.146811075095185,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "mongodb-config",
"app_proto": "mongodb-config",
"asn": 14061,
"country": "US",
"dst_port": 27019,
"risk_waf": 8,
"risk_classification": 82,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b1d0951b4dfea540291202b864b667c97a8d7d9e",
"event_fingerprint": "61ad1ddc16138b944a92463025f0344ebdcd0b6f",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "mongodb-config",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "92f36fb698653eea2395162a82c8b51f",
"path_pattern_hash": "762d384fab941f6d0c2239f19994f30e"
},
"target_context": {
"dst_port": 27019,
"service": "mongodb-config",
"service_name": "mongodb-config",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "c2",
"mitre_tactics": [
"TA0011"
],
"mitre": "TA0011",
"threat_family": [
"botnet"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7b5a679ab660e2f329abd24cab5b70ebaedbbf14",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"attack_vector": "mozi pattern \u00b7 via MONGODB CONFIG:27019 \u00b7 (commande & contr\u00f4le)",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab mozi_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0011 \u2014 via MONGODB CONFIG",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 82,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 42
},
"attack_stage": "c2",
"attack_stage_label": "Commande & contr\u00f4le",
"attack_chain_stage": "command_and_control",
"attack_chain_stage_label_fr": "Commande & contr\u00f4le",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "mongodb-config",
"service_label_fr": "MONGODB CONFIG",
"dst_port": 27019,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0011",
"mitre_technique": "TA0011",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mongodb-config",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"port": 27019,
"service": "mongodb-config",
"service_label_fr": "MONGODB CONFIG"
},
"attack_vector": "mozi pattern \u00b7 via MONGODB CONFIG:27019 \u00b7 (commande & contr\u00f4le)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:27019\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAcce",
"target_port_label": "27019 \u00b7 MONGODB CONFIG",
"emulator_service": "mongodb-config",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "stage"
},
{
"key": "command_and_control",
"label_fr": "Commande & contr\u00f4le",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mongodb_config",
"service_banner": "honeypot-mongodb-config",
"service_os": "linux",
"dst_port": "27019"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "command_and_control",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_mozi_pattern"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Sonde Elasticsearch
elasticsearch probe · via ELASTICSEARCH:9200 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Sonde Elasticsearch (REST)
Émulateur
ELASTICSEARCH
WAF
—
Recommandation
Surveiller
Tags
elasticsearch_emulated
elasticsearch_tcp_probe
net_elasticsearch_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9200
Chemin / cible
—
Service
ELASTICSEARCH
Payload
����$��� ���� ����Ei�c�K���|��N�U�x��8��ߥ ��$���[���j����!���oDj�sb`�}�7�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « elasticsearch_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 33
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����$��� ���������Ei�c�K���|��N�U�x��8��ߥ ��$���[���j����!���oDj�sb`�}�7�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
����$��� ���� ����Ei�c�K���|��N�U�x��8��ߥ ��$���[���j����!���oDj�sb`�}�7�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/������� ������� �������������������������#����������� �*�(����������� � � �������������������������+� ����������-����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"bytes_in": 297,
"payload_entropy": 5.807644567541748,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 14061,
"country": "US",
"dst_port": 9200,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 33,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "93abadea2248805c510cdc75076bd41245b4474e",
"event_fingerprint": "64ce65412bf1b81fa23464b76dd480979155e3d0",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"service_name": "elasticsearch",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ea271b1d35232e905f45b99035a62ca4",
"path_pattern_hash": "9dbf5366f59d9174076d704198d3d3fd"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 33
},
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd\u0012|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u0000\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\u0015oDj\ufffd\u009asb`\ufffd}\ufffd7\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd\u0012|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u0000\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\u0015oDj\ufffd\u009asb`\ufffd}\ufffd7\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0000\ufffd\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd\u0012|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u0000\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\u0015oDj\ufffd\u009asb`\ufffd}\ufffd7\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4aba0d8d2e626aa6a923a4839cd7b0b10eb2843b",
"protocol_details": {
"elasticsearch_probe_fr": "Sonde Elasticsearch (REST)",
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd\u0012|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u0000\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\u0015oDj\ufffd\u009asb`\ufffd}\ufffd7\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"evidence_snippet": "$ \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffdoDj\ufffd\u009asb`\ufffd}\ufffd7>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab elasticsearch_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "elasticsearch",
"service_label_fr": "ELASTICSEARCH",
"dst_port": 9200,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Elasticsearch 8.11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"elasticsearch_probe_fr": "Sonde Elasticsearch (REST)",
"payload_preview": "\u0016\u0003\u0001\u0001$\u0001\u0000\u0001 \u0003\u0003\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd\u0012|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u0000\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\u0015oDj\ufffd\u009asb`\ufffd}\ufffd7\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"attack_vector": "elasticsearch probe \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe)",
"evidence_snippet": "$ \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffdc\ufffdK\ufffd\ufffd|\ufffd\ufffdN\ufffdU\ufffdx\ufffd\ufffd8\ufffd\u07e5 \ufffd\ufffd$\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffdoDj\ufffd\u009asb`\ufffd}\ufffd7>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"elasticsearch_emulated",
"elasticsearch_tcp_probe",
"net_elasticsearch_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Traversal LFI
lfi path traversal · via ELASTICSEARCH:9200 · (tentative d'exploit) · → /v2/_catalog
|
Élevée
|
Moyen · 53
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET /v2/_catalog Requête Elasticsearch : /v2/_catalog UA Go-http-client/1.1
Émulateur
ELASTICSEARCH
WAF
14
Recommandation
Investiguer
Tags
950316:lfi-14
950468:nosqli-3
http_probe_registry
http_ua_suspicious
Cible HTTP
GET
/v2/_catalog
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/v2/_catalog
Pourquoi cette classification : Type « lfi_path_traversal » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 53
Confiance : Confiance 59 % — 2 tag(s) WAF
Protocole émulé
1
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /v2/_catalog HTTP/1.1
User-Agent
Go-http-client/1.1
Règles WAF
lfi-14
nosqli-3
Payload (extrait)
GET /v2/_catalog HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": null,
"http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "0a123e4bf77be2af9aa43488b1d007835b4ab56c",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 103,
"payload_entropy": 4.937924655139577,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 14061,
"country": "US",
"dst_port": 9200,
"risk_waf": 64,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 50,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 25
},
"risk_score": 53,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "9464174b543620d608f85348e01185c5c4996d05",
"event_fingerprint": "5bbd9455a0de273c9e549a66d2e37607babf2d48",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"confidence_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 25,
"risk_score": 53
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "elasticsearch",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1",
"payload_hash": "10b6351749b93a13d6d16ef8d5a9daa3",
"path_pattern_hash": "e619279e9365734b3a57aa3a63edbea8"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 53
},
"payload_preview": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/v2\/_catalog",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950316:lfi-14",
"950468:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"nosqli-3"
],
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/v2\/_catalog",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950316:lfi-14",
"950468:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"nosqli-3"
],
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"request_sample": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "00b185749700743fad60d664a5c45f7b881f85c2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/_catalog",
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/v2\/_catalog",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "lfi path traversal \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/_catalog",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 59 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via ELASTICSEARCH",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 64,
"classification": 78,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 25,
"risk_score": 53
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "elasticsearch",
"service_label_fr": "ELASTICSEARCH",
"dst_port": 9200,
"protocol_emulated": true,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Elasticsearch 8.11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/v2\/_catalog",
"request_line": "GET \/v2\/_catalog HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/v2\/_catalog",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"attack_vector": "lfi path traversal \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/v2\/_catalog",
"evidence_snippet": "GET \/v2\/_catalog HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 59 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 64 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950316:lfi-14",
"950468:nosqli-3",
"http_probe_registry",
"http_ua_suspicious",
"net_elasticsearch_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
SSRF
ssrf attack · via ELASTICSEARCH:9200 · (tentative d'exploit)
|
Élevée
|
Élevé · 65
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0001
TA0001
TA0002
Protocole
GET / Requête Elasticsearch : / UA Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Émulateur
ELASTICSEARCH
WAF
22
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/
Pourquoi cette classification : Règle WAF « ssrf-3 » · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Élevé
· 65
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Upstream
Waf Score
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Règles WAF
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/)
Accept: */*
Accep
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 (compatible; Odin; https://docs.getodin.com/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "033dedd926f028341b5d0b4ba132f8088c552b7c",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 148,
"payload_entropy": 5.119781174038729,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 14061,
"country": "US",
"dst_port": 9200,
"risk_waf": 96,
"risk_classification": 84,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 65,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "f12873e8a681bfec9f8f1c0ba0f0195b88db60b0",
"event_fingerprint": "0d48c452c71c07dbf600cbf2384e0fbbfd47012e",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"confidence": 0.5,
"classification_confidence": 0.5,
"precision_score": 55,
"precision_signals": [
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103"
],
"matched_pattern_names": [
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0103"
],
"confidence_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 65
},
"named_classification_skipped": false,
"service_name": "elasticsearch",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "9f9c7ebc5d6f6c8d69ee2392fa6e3a4f",
"payload_hash": "1ce8f99317e4171ae84f059ccceb7d24",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 65
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccep",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccep",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccep",
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"ssrf_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "69c4e85fc4881141ac2da1dea5a64af4fd4107d6",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccep",
"attack_vector": "ssrf attack \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit)",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"classification_reason_label_fr": "R\u00e8gle WAF \u00ab ssrf-3 \u00bb \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via ELASTICSEARCH",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 96,
"classification": 84,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 65
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 65,
"risk_label": "\u00c9lev\u00e9",
"service_name": "elasticsearch",
"service_label_fr": "ELASTICSEARCH",
"dst_port": 9200,
"protocol_emulated": true,
"tags_summary": [
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Upstream",
"Waf Score"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Elasticsearch 8.11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"attack_vector": "ssrf attack \u00b7 via ELASTICSEARCH:9200 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Odin; https:\/\/docs.getodin.com\/)\r\nAccept: *\/*\r\nAccep",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 96 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_elasticsearch_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9200 · ELASTICSEARCH
|
elasticsearch
|
Sonde SAP Diag/GUI
Sonde SAP Diag/GUI · via ELASTICSEARCH:9200 · (sonde / probe) · → /query
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
GET /query Requête Elasticsearch : /query?q=SHOW+DIAGNOSTICS UA Go-http-client/1.1
Émulateur
ELASTICSEARCH
WAF
0
Recommandation
Surveiller
Tags
http_ua_suspicious
net_sap_diag_probe
Cible HTTP
GET
/query
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9200
Chemin / cible
/query
Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1
User-Agent
Go-http-client/1.1
Règles WAF
—
Payload (extrait)
GET /query?q=SHOW+DIAGNOSTICS HTTP/1.1
Host: 62.3.50.33:9200
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c",
"emulator_response_len": 172,
"http_header_count": 3,
"http_query_params": 1,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2",
"http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e",
"http_target_hash": "148d0a7b9fa867b9eb3d978e0caa495e68940f78",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 116,
"payload_entropy": 5.259089785000451,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "elasticsearch",
"app_proto": "elasticsearch",
"asn": 14061,
"country": "US",
"dst_port": 9200,
"risk_waf": 8,
"risk_classification": 62,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 50,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 15
},
"risk_score": 24,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "42df2c82fa1062d5d23aece3a9eebe9dec615be6",
"event_fingerprint": "e958f05f1535baf4af8ec4c9d5a6e0cfb5437307",
"classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 15,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "elasticsearch",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1",
"payload_hash": "e0023ffddbf04fb3812750705c568bf3",
"path_pattern_hash": "645c82d3be5cca3e8520101eb38681a7"
},
"target_context": {
"dst_port": 9200,
"service": "elasticsearch",
"service_name": "elasticsearch",
"risk_score": 24
},
"payload_preview": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/query",
"query_string": "q=SHOW+DIAGNOSTICS",
"user_agent": "Go-http-client\/1.1",
"request_line": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1",
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/query",
"query_string": "q=SHOW+DIAGNOSTICS",
"user_agent": "Go-http-client\/1.1",
"request_line": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1",
"request_sample": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"sap_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "86f1bff9ce427b30c85c1b9bb12885d19e78584a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/query",
"request_line": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/query?q=SHOW+DIAGNOSTICS",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/query",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 62,
"behavior": 0,
"geo": 40,
"protocol": 50,
"novelty": 15,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "elasticsearch",
"service_label_fr": "ELASTICSEARCH",
"dst_port": 9200,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Elasticsearch 8.11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/query",
"request_line": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/query?q=SHOW+DIAGNOSTICS",
"port": 9200,
"service": "elasticsearch",
"service_label_fr": "ELASTICSEARCH"
},
"attack_vector": "Sonde SAP Diag\/GUI \u00b7 via ELASTICSEARCH:9200 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/query",
"evidence_snippet": "GET \/query?q=SHOW+DIAGNOSTICS HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "9200 \u00b7 ELASTICSEARCH",
"emulator_service": "elasticsearch",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "elasticsearch",
"service_banner": "Elasticsearch 8.11",
"service_os": "linux",
"dst_port": "9200"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_ua_suspicious",
"net_sap_diag_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
15671 · HTTP
|
http
|
Sonde fichier configuration
config file probe · via HTTP:15671 · (tentative d'exploit) · → /cgi-bin/authLogin.cgi
|
Élevée
|
Moyen · 46
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1083
TA0001
TA0002
Protocole
GET /cgi-bin/authLogin.cgi UA Go-http-client/1.1
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950468:nosqli-3
http_probe_cgi_bin
http_sensitive_path
http_ua_suspicious
Cible HTTP
GET
/cgi-bin/authLogin.cgi
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
15671
Chemin / cible
/cgi-bin/authLogin.cgi
Pourquoi cette classification : Sonde fichier sensible: chemin sensible (tag interne) · Règle WAF « nosqli-3 » · Sonde fichier sensible / config · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 46
Confiance : Confiance 97 % — 1 tag(s) WAF
Protocole émulé
1
Signaux
Http Sensitive
Upstream
Tactiques MITRE
TA0001
TA0002
Ligne de requête
GET /cgi-bin/authLogin.cgi HTTP/1.1
User-Agent
Go-http-client/1.1
Règles WAF
nosqli-3
Payload (extrait)
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 62.3.50.33:15671
User-Agent: Go-http-client/1.1
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "cgi",
"http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2",
"http_host_hash": "8601cef8c1a410d202a4b0e031c4e59225bb7c01",
"http_target_hash": "8add963f0e61f10c41c8eee4caf504d0e863a0b6",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 114,
"payload_entropy": 4.923636208859579,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "http",
"app_proto": "http",
"asn": 14061,
"country": "US",
"dst_port": 15671,
"risk_waf": 32,
"risk_classification": 74,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 32,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 46,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "70dc0ecb822a3122c9e3cded63340fd9405db6b9",
"event_fingerprint": "b1b663e6dac8dc90dac044e9e5290551e3fcca67",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 97,
"precision_signals": [
"INT-http_sensitive",
"INT-upstream"
],
"kb_rule_ids": [
"INT-http_sensitive",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 32,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 46
},
"named_classification_skipped": false,
"classification_parent": "backup_file_scan",
"service_name": "http",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1",
"payload_hash": "07de27244c54e60c6688e3dbac5d4155",
"path_pattern_hash": "45fb04fbc0c9ee592196ecdb80f81814"
},
"target_context": {
"dst_port": 15671,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/cgi-bin\/authLogin.cgi",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950468:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1",
"request_sample": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/cgi-bin\/authLogin.cgi",
"user_agent": "Go-http-client\/1.1",
"waf_tags": [
"950468:nosqli-3"
],
"waf_rule_names": [
"nosqli-3"
],
"request_line": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1",
"request_sample": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1083"
],
"mitre": "T1083",
"threat_family": [
"path_traversal",
"config_leak_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0e2d3e239ae391f1cc36bb7bd0f0a0ab1228b46f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/cgi-bin\/authLogin.cgi",
"request_line": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 15671,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"attack_vector": "config file probe \u00b7 via HTTP:15671 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi",
"target_port_label": "15671 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 97 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%",
"classification_reason_label_fr": "Sonde fichier sensible: chemin sensible (tag interne) \u00b7 R\u00e8gle WAF \u00ab nosqli-3 \u00bb \u00b7 Sonde fichier sensible \/ config \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE T1083 \u2014 confiance 97 % \u2014 via HTTP",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 32,
"classification": 74,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 46
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 15671,
"protocol_emulated": true,
"tags_summary": [
"INT-http_sensitive",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Http Sensitive",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1083",
"mitre_technique": "T1083",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/cgi-bin\/authLogin.cgi",
"request_line": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 15671,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "config file probe \u00b7 via HTTP:15671 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/authLogin.cgi",
"evidence_snippet": "GET \/cgi-bin\/authLogin.cgi HTTP\/1.1\r\nHost: 62.3.50.33:15671\r\nUser-Agent: Go-http-client\/1.1\r\nConnection: close",
"target_port_label": "15671 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 97 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 32 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "15671"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950468:nosqli-3",
"http_probe_cgi_bin",
"http_sensitive_path",
"http_ua_suspicious",
"iot_http_endpoint",
"net_web_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
15671 · RABBITMQ AMQP ALT
|
rabbitmq-amqp-alt
|
Sonde PostgreSQL
postgres probe · via RABBITMQ AMQP ALT:15671 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 d6828e30ab66774a
Émulateur
RABBITMQ-AMQP-ALT
WAF
—
Recommandation
Surveiller
Tags
amqp_emulated
net_amqp_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
15671
Chemin / cible
—
Service
RABBITMQ AMQP ALT
Payload
��������������0�7V`�J�������5��F�B�U�]O�*E� �}aKm��� ���-�X����$���/�D��&�+�/�,�0̨̩� ��� �������/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������0�7V`�J�������5��F�B�U�]O�*E� �}aKm��� ���-�X����$���/�D��&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
��������������0�7V`�J�������5��F�B�U�]O�*E� �}aKm��� ���-�X����$���/�D��&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ������������������������������������������+��������3�&�$��� ���b�n7:����+{ f��["p��6ܟ�^�H�E
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.822836961486152,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "rabbitmq-amqp-alt",
"app_proto": "rabbitmq-amqp-alt",
"asn": 14061,
"country": "US",
"dst_port": 15671,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "040536fe3395b1b40d1b3ed5518168535b7e9f5f",
"event_fingerprint": "b9f59d3714affe35498245ea9ddd6ed9d5c90042",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "rabbitmq-amqp-alt",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0f01bbbefe5db4edcbaa9cccf641bc5d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"ja4": "e4d60caa902b8b84112358f96af813c3",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3",
"tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 15671,
"service": "rabbitmq-amqp-alt",
"service_name": "rabbitmq-amqp-alt",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\u0000\ufffd\ufffd\ufffd\ufffd\b\u001e5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\u001e\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\u0000\ufffd\ufffd\ufffd\ufffd\b\u001e5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\u001e\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u000e\u000eb\ufffdn7:\ufffd\ufffd\ufffd\ufffd+{\ff\ufffd\ufffd[\"p\ufffd\ufffd6\u071f\ufffd^\u0017H\ufffdE",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\u0000\ufffd\ufffd\ufffd\ufffd\b\u001e5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\u001e\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21369055b7ee3e6760d6af945ed87d149e92af60",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\u0000\ufffd\ufffd\ufffd\ufffd\b\u001e5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\u001e\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 15671,
"service": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via RABBITMQ AMQP ALT:15671 \u00b7 (sonde \/ probe)",
"target_port_label": "15671 \u00b7 RABBITMQ AMQP ALT",
"emulator_service": "rabbitmq-amqp-alt",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT",
"dst_port": 15671,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rabbitmq-amqp-alt",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\u0000\ufffd\ufffd\ufffd\ufffd\b\u001e5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\u001e\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 15671,
"service": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT"
},
"attack_vector": "postgres probe \u00b7 via RABBITMQ AMQP ALT:15671 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd7V`\ufffdJ\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffdF\ufffdB\ufffdU\ufffd]O\ufffd*E\ufffd \ufffd}aKm\ufffd\ufffd\t\ufffd\ufffd\ufffd-\ufffdX\ufffd\ufffd\ufffd\ufffd$\ufffd\ufffd\u0098\ufffd\/\ufffdD\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "15671 \u00b7 RABBITMQ AMQP ALT",
"emulator_service": "rabbitmq-amqp-alt",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rabbitmq_amqp_alt",
"service_banner": "honeypot-rabbitmq-amqp-alt",
"service_os": "linux",
"dst_port": "15671"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"rabbitmq-amqp-alt"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"amqp_emulated",
"net_amqp_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
15671 · RABBITMQ AMQP ALT
|
rabbitmq-amqp-alt
|
Sonde PostgreSQL
postgres probe · via RABBITMQ AMQP ALT:15671 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 d6828e30ab66774a
Émulateur
RABBITMQ-AMQP-ALT
WAF
—
Recommandation
Surveiller
Tags
amqp_emulated
net_amqp_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
15671
Chemin / cible
—
Service
RABBITMQ AMQP ALT
Payload
������������� "c�#Bչ�>G�O���I��cw����`�-�F ����k�^�>\a�k�B3�k�]80�J����?�Ӌ�&�+�/�,�0̨̩� ��� �������/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������"c�#Bչ�>G�O���I��cw����`�-�F ����k�^�>\a�k�B3�k�]80�J����?�Ӌ�&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
������������� "c�#Bչ�>G�O���I��cw����`�-�F ����k�^�>\a�k�B3�k�]80�J����?�Ӌ�&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ������������������������������������������+��������3�&�$��� �f�l/�8 �����>b���ծ����֎-`��<
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.777299711333,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "rabbitmq-amqp-alt",
"app_proto": "rabbitmq-amqp-alt",
"asn": 14061,
"country": "US",
"dst_port": 15671,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "040536fe3395b1b40d1b3ed5518168535b7e9f5f",
"event_fingerprint": "b9f59d3714affe35498245ea9ddd6ed9d5c90042",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "rabbitmq-amqp-alt",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "df8bd624a0b23ebb8314400d5bf7ebc2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"ja4": "e4d60caa902b8b84112358f96af813c3",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-23-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "e4d60caa902b8b84112358f96af813c3",
"tls_ja4": "t13d0119_0f418b0e79cc_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 15671,
"service": "rabbitmq-amqp-alt",
"service_name": "rabbitmq-amqp-alt",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffd\u001bcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffd\u0002k\u0015^\ufffd>\\a\u0017k\ufffdB3\ufffdk\u0005]80\ufffdJ\ufffd\ufffd\ufffd\u0017?\u001a\u04cb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffd\u001bcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffd\u0002k\u0015^\ufffd>\\a\u0017k\ufffdB3\ufffdk\u0005]80\ufffdJ\ufffd\ufffd\ufffd\u0017?\u001a\u04cb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdf\u0018l\/\ufffd8\n\ufffd\u000f\ufffd\ufffd\ufffd>b\ufffd\ufffd\ufffd\u056e\ufffd\ufffd\ufffd\ufffd\u058e-`\u0006\ufffd<",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffd\u001bcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffd\u0002k\u0015^\ufffd>\\a\u0017k\ufffdB3\ufffdk\u0005]80\ufffdJ\ufffd\ufffd\ufffd\u0017?\u001a\u04cb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ca3acf484529af2f18a6c3eda0784e5164eebe63",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffd\u001bcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffd\u0002k\u0015^\ufffd>\\a\u0017k\ufffdB3\ufffdk\u0005]80\ufffdJ\ufffd\ufffd\ufffd\u0017?\u001a\u04cb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 15671,
"service": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffdcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffdk^\ufffd>\\ak\ufffdB3\ufffdk]80\ufffdJ\ufffd\ufffd\ufffd?\u04cb&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via RABBITMQ AMQP ALT:15671 \u00b7 (sonde \/ probe)",
"target_port_label": "15671 \u00b7 RABBITMQ AMQP ALT",
"emulator_service": "rabbitmq-amqp-alt",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT",
"dst_port": 15671,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rabbitmq-amqp-alt",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffd\u001bcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffd\u0002k\u0015^\ufffd>\\a\u0017k\ufffdB3\ufffdk\u0005]80\ufffdJ\ufffd\ufffd\ufffd\u0017?\u001a\u04cb\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "d6828e30ab66774a91a96ae93be4ae4c",
"tls_ja4": "e4d60caa902b8b84112358f96af813c3",
"port": 15671,
"service": "rabbitmq-amqp-alt",
"service_label_fr": "RABBITMQ AMQP ALT"
},
"attack_vector": "postgres probe \u00b7 via RABBITMQ AMQP ALT:15671 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\"c\ufffd#B\u0579\ufffd>G\ufffdO\ufffd\ufffd\ufffdI\ufffdcw\ufffd\ufffd\ufffd\ufffd`\ufffd-\ufffdF \ufffd\ufffd\ufffdk^\ufffd>\\ak\ufffdB3\ufffdk]80\ufffdJ\ufffd\ufffd\ufffd?\u04cb&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "15671 \u00b7 RABBITMQ AMQP ALT",
"emulator_service": "rabbitmq-amqp-alt",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rabbitmq_amqp_alt",
"service_banner": "honeypot-rabbitmq-amqp-alt",
"service_os": "linux",
"dst_port": "15671"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"rabbitmq-amqp-alt"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"amqp_emulated",
"net_amqp_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|