18/06/2026 04:43:22 UTC
TCP
5902 · VNC 2
Sonde port 5902/TCP
port 5902 tcp · via VNC 2:5902 · (sonde / probe)
Élevée
Moyen · 41
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
VNC-2
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5902
Chemin / cible
—
Preuve honeypot — Sonde port 5902/TCP
Connexion détectée sur le port 5902 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5902_tcp » (signaux protocolaires) · confiance 69%
Confiance classification
69%
Risque capteur
Moyen
· 41
Confiance : Confiance 69 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1 Signaux
Tcp Vnc Auth
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": "vnc-2",
"app_proto": "vnc-2",
"asn": 396982,
"country": "US",
"dst_port": 5902,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "ed4fe55cf9b71383f61b8f50ff2387f345c04ff2",
"event_fingerprint": "e7dead7c09362c8a4cba81baa9e82f36d512e52d",
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 82,
"precision_signals": [
"INT-tcp-vnc-auth"
],
"kb_rule_ids": [
"INT-tcp-vnc-auth"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": true,
"named_candidate": "vnc_bruteforce",
"service_name": "vnc-2",
"risk_confidence_factor": 69,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "2d19cc5560e3efa3989a62110ae7f4ae"
},
"target_context": {
"dst_port": 5902,
"service": "vnc-2",
"service_name": "vnc-2",
"risk_score": 41
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ebcaae52f13f4e32142256f690abd6cc2f1925e",
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"classification_reason_label_fr": "Type \u00ab port_5902_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "vnc-2",
"service_label_fr": "VNC 2",
"dst_port": 5902,
"protocol_emulated": true,
"tags_summary": [
"INT-tcp-vnc-auth"
],
"tags_summary_labels_fr": [
"Tcp Vnc Auth"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-vnc-2",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5902,
"service": "vnc-2",
"service_label_fr": "VNC 2"
},
"attack_vector": "port 5902 tcp \u00b7 via VNC 2:5902 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5902 \u00b7 VNC 2",
"emulator_service": "vnc-2",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc_2",
"service_banner": "honeypot-vnc-2",
"service_os": "linux",
"dst_port": "5902"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
17/06/2026 10:52:06 UTC
TCP
8333 · BITCOIN
Sonde PostgreSQL
postgres probe · via BITCOIN:8333 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
BITCOIN
WAF
—
Recommandation
Surveiller
Tags
bitcoin_emulated
bitcoin_version
net_bitcoin_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8333
Chemin / cible
—
Service
BITCOIN
Payload
����version�����U������@�����������ަ�f������������W�������������� ��������� �� ��������������RsA��4�������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����version�����U������@�����������ަ�f������������W�������������� ���������
��
��������������RsA��4��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "f9beb4d97d000000000000007f11010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff00000000",
"emulator_response_len": 130,
"bytes_in": 109,
"payload_entropy": 3.0667723261819746,
"port_category": "registered",
"org": "Google LLC",
"service": "bitcoin",
"app_proto": "bitcoin",
"asn": 396982,
"country": "US",
"dst_port": 8333,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7d1200fc7f6bdcf80682b9585b48b0b97f6eb2b7",
"event_fingerprint": "34c7621b91cda0c6a21c6948f9570ac241d1b132",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "bitcoin",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "433ec635c87c18ffd37408c630139da1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 8333,
"service": "bitcoin",
"service_name": "bitcoin",
"risk_score": 35
},
"payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000U\u0000\u0000\u0000\ufffd\ufffd\b@\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u07a6\u0016f\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000W\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \ufffd\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\ufffd\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdRsA\ufffd\ufffd4\u0001\ufffd\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000U\u0000\u0000\u0000\ufffd\ufffd\b@\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u07a6\u0016f\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000W\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \ufffd\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\ufffd\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdRsA\ufffd\ufffd4\u0001\ufffd\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000U\u0000\u0000\u0000\ufffd\ufffd\b@\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u07a6\u0016f\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000W\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \ufffd\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\ufffd\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdRsA\ufffd\ufffd4\u0001\ufffd\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ed97ec2f6906fa604675acd5e3fd26b4d345c5a",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000U\u0000\u0000\u0000\ufffd\ufffd\b@\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u07a6\u0016f\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000W\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \ufffd\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\ufffd\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdRsA\ufffd\ufffd4\u0001\ufffd\u0000\u0000\u0000\u0000\u0000",
"port": 8333,
"service": "bitcoin",
"service_label_fr": "BITCOIN"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdversionU\ufffd\ufffd@\ufffd\u07a6fW\ufffd\ufffd \ufffd\n\ufffd\n\ufffd\ufffdRsA\ufffd\ufffd4\ufffd",
"attack_vector": "postgres probe \u00b7 via BITCOIN:8333 \u00b7 (sonde \/ probe)",
"target_port_label": "8333 \u00b7 BITCOIN",
"emulator_service": "bitcoin",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "bitcoin",
"service_label_fr": "BITCOIN",
"dst_port": 8333,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-bitcoin",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000U\u0000\u0000\u0000\ufffd\ufffd\b@\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u07a6\u0016f\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000W\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \ufffd\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\n\ufffd\u0000\n\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdRsA\ufffd\ufffd4\u0001\ufffd\u0000\u0000\u0000\u0000\u0000",
"port": 8333,
"service": "bitcoin",
"service_label_fr": "BITCOIN"
},
"attack_vector": "postgres probe \u00b7 via BITCOIN:8333 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdversionU\ufffd\ufffd@\ufffd\u07a6fW\ufffd\ufffd \ufffd\n\ufffd\n\ufffd\ufffdRsA\ufffd\ufffd4\ufffd",
"target_port_label": "8333 \u00b7 BITCOIN",
"emulator_service": "bitcoin",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "bitcoin",
"service_banner": "honeypot-bitcoin",
"service_os": "linux",
"dst_port": "8333"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"bitcoin_emulated",
"bitcoin_version",
"net_bitcoin_probe"
],
"asn_dc_heuristic": true
}
16/06/2026 19:24:32 UTC
TCP
118
—
Sonde port
Sonde port · port 118 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
118
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 8,
"payload_entropy": 2.4056390622295662,
"port_category": "well_known",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 118,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "0c1eff6c0f1720de1a3dabeedd4f3d09d8a3ec77",
"event_fingerprint": "cba3bc75578d375177698891e66631516a71cfe8",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "694bec2754742b999eb8e010ccd19ce8",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 118,
"risk_score": 44
},
"payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"evidence": {
"request_sample": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"payload_snippet": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "960c1ca07c6898c9963df98e88df45d21b9dac52",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"port": 118
},
"evidence_snippet": "\ufffd\/",
"attack_vector": "Sonde port \u00b7 port 118 \u00b7 (sonde \/ probe)",
"target_port_label": "118",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 118,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\b\u0004\ufffd\u0016\/",
"port": 118
},
"attack_vector": "Sonde port \u00b7 port 118 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\/",
"target_port_label": "118",
"emulator_service": null,
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "118"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
15/06/2026 05:16:48 UTC
TCP
24156 · TLS
Sonde port 24156/TCP
port 24156 tcp · via TLS:24156 · (sonde / probe)
Élevée
Moyen · 40
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 16ee84a07b55074c
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
24156
Chemin / cible
—
Preuve honeypot — Sonde port 24156/TCP
Connexion détectée sur le port 24156 (TCP) du capteur simulé.
Service
TLS
Payload
����i���e��U���random1random2random3random4�� �/� ���9�������0� �,�*������������������������������������������
Pourquoi cette classification : Type « port_24156_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����i���e��U���random1random2random3random4����/�
���9�������0�
�,�*������������������������������������������
Meta JSON brut
{
"tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 5,
"bytes_in": 110,
"payload_entropy": 4.269606220838881,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 24156,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b993e8829173d0cf7bd7b3b07be46ca216166706",
"event_fingerprint": "00fa988d254da9ce99697acb22140a02f81f6f79",
"classification_reason": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "16ee84a07b55074cb2751329bf1c8811",
"payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8",
"path_pattern_hash": "cacac2204fc201922fb93e1a37026399",
"ja4": "011b865e5f91ae5e1836c88110724dcb",
"tls_version": "0x0303",
"tls_cipher_count": 6,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,47-10-19-57-4-255,13,,",
"tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb",
"tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74",
"tls_version": "0x0303",
"tls_cipher_count": 6,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 24156,
"service": "tls",
"service_name": "tls",
"risk_score": 40
},
"payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"evidence": {
"request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"classification_reason": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "81897d9acbad9d8ffab59790fd6344861f0384b9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"tls_ja3": "16ee84a07b55074cb2751329bf1c8811",
"tls_ja4": "011b865e5f91ae5e1836c88110724dcb",
"port": 24156,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*",
"attack_vector": "port 24156 tcp \u00b7 via TLS:24156 \u00b7 (sonde \/ probe)",
"target_port_label": "24156 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 24156,
"protocol_emulated": null,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"tls_ja3": "16ee84a07b55074cb2751329bf1c8811",
"tls_ja4": "011b865e5f91ae5e1836c88110724dcb",
"port": 24156,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port 24156 tcp \u00b7 via TLS:24156 \u00b7 (sonde \/ probe)",
"evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*",
"target_port_label": "24156 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "24156"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:24156",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 05:16:48 UTC
TCP
24156 · TLS
Sonde TLS
tls probe · via TLS:24156 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 004556e859f3c26c
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
24156
Chemin / cible
—
Service
TLS
Payload
��������������_�|���)�F��B����-�"վ��Q���� ����*\�l1��� [p��������^�7�/#&{�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������_�|���)�F��B����-�"վ��Q���� ����*\�l1����[p��������^�7�/#&{�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
��������������_�|���)�F��B����-�"վ��Q���� ����*\�l1��� [p��������^�7�/#&{�>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/�����u� ������� � � �����������#����������� �0�.����������� � � �������������������������������+� ����������-�����3�&
Meta JSON brut
{
"tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 8,
"bytes_in": 517,
"payload_entropy": 3.9641159204224663,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 24156,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b993e8829173d0cf7bd7b3b07be46ca216166706",
"event_fingerprint": "35f7940077c40eab1c2bde0f41819f9e55c4dfdf",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "004556e859f3c26c5d19746b3a957c74",
"payload_hash": "6f544c448d8a3f8987353610f2aa528d",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 24156,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0007\ufffd\u0016_\u001e|\ufffd\ufffd\ufffd)\u0014F\ufffd\ufffdB\u0000\ufffd\u0018\ufffd-\ufffd\"\u057e\u0003\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\u0014\ufffd*\\\ufffdl1\u0006\ufffd\u0002\u000b[p\ufffd\u0013\u001c\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0007\ufffd\u0016_\u001e|\ufffd\ufffd\ufffd)\u0014F\ufffd\ufffdB\u0000\ufffd\u0018\ufffd-\ufffd\"\u057e\u0003\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\u0014\ufffd*\\\ufffdl1\u0006\ufffd\u0002\u000b[p\ufffd\u0013\u001c\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0007\ufffd\u0016_\u001e|\ufffd\ufffd\ufffd)\u0014F\ufffd\ufffdB\u0000\ufffd\u0018\ufffd-\ufffd\"\u057e\u0003\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\u0014\ufffd*\\\ufffdl1\u0006\ufffd\u0002\u000b[p\ufffd\u0013\u001c\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e6503b31858c91858b2fc2f3f6a2b59db11ec39",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0007\ufffd\u0016_\u001e|\ufffd\ufffd\ufffd)\u0014F\ufffd\ufffdB\u0000\ufffd\u0018\ufffd-\ufffd\"\u057e\u0003\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\u0014\ufffd*\\\ufffdl1\u0006\ufffd\u0002\u000b[p\ufffd\u0013\u001c\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "004556e859f3c26c5d19746b3a957c74",
"port": 24156,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd_|\ufffd\ufffd\ufffd)F\ufffd\ufffdB\ufffd\ufffd-\ufffd\"\u057e\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd*\\\ufffdl1\ufffd[p\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:24156 \u00b7 (sonde \/ probe)",
"target_port_label": "24156 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 24156,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\u0007\ufffd\u0016_\u001e|\ufffd\ufffd\ufffd)\u0014F\ufffd\ufffdB\u0000\ufffd\u0018\ufffd-\ufffd\"\u057e\u0003\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\u0014\ufffd*\\\ufffdl1\u0006\ufffd\u0002\u000b[p\ufffd\u0013\u001c\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "004556e859f3c26c5d19746b3a957c74",
"port": 24156,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:24156 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd_|\ufffd\ufffd\ufffd)F\ufffd\ufffdB\ufffd\ufffd-\ufffd\"\u057e\ufffdQ\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd*\\\ufffdl1\ufffd[p\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffd7\ufffd\/#&{>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "24156 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "24156"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:24156",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
15/06/2026 05:16:44 UTC
TCP
24156
—
Sonde port
Sonde port · port 24156 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
24156
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 24156,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "1147f5eddeb9af29a21e1cf611234fc72148800d",
"event_fingerprint": "3556a79cfaecff9a4e3fa6b982a472079ea93b53",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 24156,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "821220fef07c519d6de6df7e0025039d13248e9d",
"protocol_details": {
"port": 24156
},
"attack_vector": "Sonde port \u00b7 port 24156 \u00b7 (sonde \/ probe)",
"target_port_label": "24156",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 24156,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 24156
},
"attack_vector": "Sonde port \u00b7 port 24156 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "24156",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "24156"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
13/06/2026 22:52:48 UTC
TCP
2082 · HTTP
Scanner web
web scanner · via HTTP:2082 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2082
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.100647144002227,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 2082,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "029cbb1212b125ef59d7d1940b7d5e4e6ac8457f",
"event_fingerprint": "599c0f1c4d7c64d6bc8183d5c7b712a0254b9c6c",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "9cdb3add298de320833a0d7a6b64c6b0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "29f491d5b4711d1cb34b590a9f27d55c23145d9e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner",
"net_web_probe"
],
"asn_dc_heuristic": true
}
13/06/2026 20:45:00 UTC
TCP
8015 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8015 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 795bc7ce13f60d61
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8015
Chemin / cible
—
Service
TLS
Payload
������������!̦�hC�=_���iƲ��l�����#�o��v����h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ��������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������!̦�hC�=_���iƲ��l�����#�o��v����h�����/�+�0�,�����'�#��� �(�$���
�������g�k�3�9���������<�=�/�5�����
��������������
Requête brute (extrait)
������������!̦�hC�=_���iƲ��l�����#�o��v����h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ���������������2���������8�@�f�j�������5���������� ����������� ����� � � ��������������������
Meta JSON brut
{
"tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 29,
"bytes_in": 207,
"payload_entropy": 4.863732095214392,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8015,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "72a7dbdba92b9b15290625e97617fb41b402fdc8",
"event_fingerprint": "a05738c0899cb0e6173ee166caee016012694b97",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"payload_hash": "9c3f608958c6155dd3ee2da5a847484c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "bcc542a5296d13201e694c8f5aa448d9",
"tls_version": "0x0303",
"tls_cipher_count": 52,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0",
"tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9",
"tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2",
"tls_version": "0x0303",
"tls_cipher_count": 52,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8015,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd!\u0326\u0019hC\u000f=_\ufffd\ufffd\ufffdi\u01b2\u0007\ufffdl\ufffd\u0003\u0019\ufffd\ufffd#\u000fo\ufffd\ufffdv\ufffd\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd!\u0326\u0019hC\u000f=_\ufffd\ufffd\ufffdi\u01b2\u0007\ufffdl\ufffd\u0003\u0019\ufffd\ufffd#\u000fo\ufffd\ufffdv\ufffd\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd!\u0326\u0019hC\u000f=_\ufffd\ufffd\ufffdi\u01b2\u0007\ufffdl\ufffd\u0003\u0019\ufffd\ufffd#\u000fo\ufffd\ufffdv\ufffd\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74d5a5aa3475380f4974f476c2518647cd27f6ad",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd!\u0326\u0019hC\u000f=_\ufffd\ufffd\ufffdi\u01b2\u0007\ufffdl\ufffd\u0003\u0019\ufffd\ufffd#\u000fo\ufffd\ufffdv\ufffd\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_ja4": "bcc542a5296d13201e694c8f5aa448d9",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd!\u0326hC=_\ufffd\ufffd\ufffdi\u01b2\ufffdl\ufffd\ufffd\ufffd#o\ufffd\ufffdv\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8015,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd!\u0326\u0019hC\u000f=_\ufffd\ufffd\ufffdi\u01b2\u0007\ufffdl\ufffd\u0003\u0019\ufffd\ufffd#\u000fo\ufffd\ufffdv\ufffd\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_ja4": "bcc542a5296d13201e694c8f5aa448d9",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd!\u0326hC=_\ufffd\ufffd\ufffdi\u01b2\ufffdl\ufffd\ufffd\ufffd#o\ufffd\ufffdv\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
13/06/2026 20:44:59 UTC
TCP
8015 · TLS
Sonde PostgreSQL
postgres probe · via TLS:8015 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8015
Chemin / cible
—
Service
TLS
Payload
������������,��BrF���"xA�����h�mמ����D�%iV t�����>?!��\��+�`%�E�6��j��� w� �&�+�/�,�0̨̩� ��� �������/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������,��BrF���"xA�����h�mמ����D�%iV t�����>?!��\��+�`%�E�6��j����w� �&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
������������,��BrF���"xA�����h�mמ����D�%iV t�����>?!��\��+�`%�E�6��j��� w� �&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �������o�!���Wv����di!�d�O��:�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.8206467364704295,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8015,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "72a7dbdba92b9b15290625e97617fb41b402fdc8",
"event_fingerprint": "1cd866fa4f1f868340c95e2ad6e572ed363d9d46",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "5f20c94d1b18e927e9cceead1c78789c",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8015,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\u0018\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffd\u0006D\ufffd%iV t\u0007\u0003\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%\u0007E\ufffd6\u001a\ufffdj\ufffd\u0001\ufffd\u000bw\ufffd\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\u0018\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffd\u0006D\ufffd%iV t\u0007\u0003\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%\u0007E\ufffd6\u001a\ufffdj\ufffd\u0001\ufffd\u000bw\ufffd\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0013\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdo\u001e!\ufffd\ufffd\ufffdWv\ufffd\ufffd\ufffd\ufffddi!\u000ed\u000fO\ufffd\ufffd:\b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\u0018\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffd\u0006D\ufffd%iV t\u0007\u0003\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%\u0007E\ufffd6\u001a\ufffdj\ufffd\u0001\ufffd\u000bw\ufffd\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e3fb82f8629196d23d610a7ef067696311ff0551",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\u0018\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffd\u0006D\ufffd%iV t\u0007\u0003\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%\u0007E\ufffd6\u001a\ufffdj\ufffd\u0001\ufffd\u000bw\ufffd\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffdD\ufffd%iV t\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%E\ufffd6\ufffdj\ufffd\ufffdw\ufffd\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8015,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\u0018\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffd\u0006D\ufffd%iV t\u0007\u0003\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%\u0007E\ufffd6\u001a\ufffdj\ufffd\u0001\ufffd\u000bw\ufffd\t\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8015,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:8015 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd,\ufffd\ufffdBrF\ufffd\ufffd\"xA\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffdm\u05de\ufffd\ufffd\ufffdD\ufffd%iV t\ufffd\ufffd\ufffd>?!\ufffd\ufffd\\\ufffd\ufffd+\ufffd`%E\ufffd6\ufffdj\ufffd\ufffdw\ufffd\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8015 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8015"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
07/06/2026 04:19:24 UTC
TCP
1028 · HTTP
Scanner web
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
MITRE
T1595
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1028
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1028
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1028 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "c154dee2506f6bf555575f4ad31f0324077f71cc",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.098398405489966,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 1028,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "b38f292cac0e4a3953f2ab746b225d4a69b50844",
"event_fingerprint": "3604a3399aaa30a608c68aaa6d9327c5dc1b51b9",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "c6beac37afceb77b9c1edede2e173980",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1028,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1028\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1028\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1028\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1028\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1028\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b56201fda98e4cf81ea34b65a4dea39c3c06d356",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1028"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
03/06/2026 19:58:39 UTC
TCP
9418
git
Faible
Faible · 12
Détails
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 16:50:11 UTC
TCP
5060
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
28
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950382:rce-14
950470:nosqli-3
Cible HTTP
OPTIONS
sip:carol@chicago.com
TLS SNI
—
Capteur
paris-1
Méthode
OPTIONS
Port
5060
Chemin / cible
sip:carol@chicago.com
Ligne de requête
OPTIONS / HTTP/1.1
User-Agent
—
Règles WAF
950318:lfi-14
950326:rce-0
950382:rce-14
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 9,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "com",
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "a0addcc0078eba4c239d40b883484da49a6a3091",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 330,
"payload_entropy": 5.353977801919507,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "4244cd02297ebac9a34aef115f62648b1915daa8",
"event_fingerprint": "7416b9bb3efd1f8d572fbdeba9229444277d638a",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950382:rce-14",
"950470:nosqli-3",
"http_no_ua"
]
}
31/05/2026 18:25:12 UTC
TCP
5908
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
31/05/2026 03:50:25 UTC
TCP
18080
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
18080
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "95213e5173294476838cc982e837f959c78f7920",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 219,
"payload_entropy": 5.104612548611584,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "0d9e87ef2d15479f4a45b7da4a662501432e16df",
"event_fingerprint": "e36a8c5e637670e4501ab9bb479d48bda4e772ec",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
30/05/2026 21:58:14 UTC
TCP
9418
git
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
30/05/2026 01:54:30 UTC
TCP
3917
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
30/05/2026 01:54:29 UTC
TCP
3917
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 16:24:30 UTC
TCP
28015
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 16:24:29 UTC
TCP
28015
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
28/05/2026 23:07:30 UTC
TCP
9092
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9092
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "b973fc3fbbb8ad0ad02cdb7acb9000d0cf01e75a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.104109930709399,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "aa85ae6a56352cca0b0d3bfb5da8020cce805343",
"event_fingerprint": "e4846829ef276a6459f2f0321b6e9d2944b49291",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
28/05/2026 17:19:19 UTC
TCP
3690
svn
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
28/05/2026 17:19:15 UTC
TCP
3690
svn
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 16:15:07 UTC
TCP
2101
Sonde HTTP
Élevée
Moyen · 61
Détails
Voir
Étape
—
WAF
6
Recommandation
—
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2101
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": "99e93223962ab2f72e77c776db1348329f030c85",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 79,
"payload_entropy": 4.824438704624974,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 1,
"risk_score": 61,
"campaign_key": "7efce3992d9a40edacfe52bffe566bee784b5a91",
"event_fingerprint": "55d938b1377cbc0df3239afdabb39b3f6f262b5f",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
]
}
23/05/2026 21:58:14 UTC
TCP
2001
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
21/05/2026 21:23:21 UTC
TCP
10000
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
21/05/2026 21:23:20 UTC
TCP
10000
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1