|
|
TCP |
2121
|
—
|
Sonde port
Sonde port · port 2121 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2121
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 2121,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "02eb0c81e331c337295fc26ae9c2353a17e30bcb",
"event_fingerprint": "14cb54d937aaa2880230851dde350870da78074d",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2121,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4904238e29a7a153175c661d88f74c945af7a3fb",
"protocol_details": {
"port": 2121
},
"attack_vector": "Sonde port \u00b7 port 2121 \u00b7 (sonde \/ probe)",
"target_port_label": "2121",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2121,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 2121
},
"attack_vector": "Sonde port \u00b7 port 2121 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2121",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2121"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
6001 · X11
|
x11
|
x11
x11 · via X11:6001 · (sonde / probe)
|
Faible
|
Faible · 1
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
X11
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
6001
Chemin / cible
—
Pourquoi cette classification : Type « x11 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 1
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742078313120726561647920706f72743d363030310d0a",
"emulator_response_len": 34,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": "x11",
"app_proto": "x11",
"asn": 396982,
"country": "US",
"dst_port": 6001,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 0
},
"risk_score": 1,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "f0614f0f7579e7ecb276d9d958593905dcc7b69a",
"event_fingerprint": "70307154765175238b3a22e1b61a22a8bf0b78b4",
"classification_reason": "Type \u00ab x11 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 0,
"risk_score": 1
},
"named_classification_skipped": false,
"service_name": "x11",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "fe372293ac6fc8767d248278e9ceacbb"
},
"target_context": {
"dst_port": 6001,
"service": "x11",
"service_name": "x11",
"risk_score": 1
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b15472dd103e1f7e488e70e14c1ff9fde234fbfa",
"protocol_details": {
"port": 6001,
"service": "x11",
"service_label_fr": "X11"
},
"attack_vector": "x11 \u00b7 via X11:6001 \u00b7 (sonde \/ probe)",
"target_port_label": "6001 \u00b7 X11",
"emulator_service": "x11",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab x11 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab x11 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 40,
"protocol": 22,
"novelty": 0,
"risk_score": 1
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 1,
"risk_label": "Faible",
"service_name": "x11",
"service_label_fr": "X11",
"dst_port": 6001,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-x11",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 6001,
"service": "x11",
"service_label_fr": "X11"
},
"attack_vector": "x11 \u00b7 via X11:6001 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "6001 \u00b7 X11",
"emulator_service": "x11",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "x11",
"service_banner": "honeypot-x11",
"service_os": "linux",
"dst_port": "6001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
20257
|
—
|
Sonde port
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
20257
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
SIe���/ AIDEE
Meta JSON brut
{
"bytes_in": 14,
"payload_entropy": 3.378783493486176,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 20257,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "fa159067ea7ef6a6ed6a1ede48eeb1c0074f844b",
"event_fingerprint": "fed85086d8bc339325a7aa43c8f33e9498a11b71",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "24b45afb57997e389a5f22bf1665e4f6",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 20257,
"risk_score": 44
},
"payload_preview": "SIe\u0000\b\u0000\/ AIDEE\r",
"request_sample": "SIe\u0000\b\u0000\/ AIDEE\r",
"payload_snippet": "SIe\u0000\b\u0000\/ AIDEE",
"evidence": {
"request_sample": "SIe\u0000\b\u0000\/ AIDEE\r",
"payload_snippet": "SIe\u0000\b\u0000\/ AIDEE",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ef03dab7c47066210e12d4e3751a482800aaaa8d",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "20257"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
|
|
|
TCP |
8531
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8531
Chemin / cible
—
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����o���k��RH��#�:N�ⴂ/� T���y�h�����="��� ��,��n�Y�bhl�(=':���oȢד���幐�(�
���9�k�5�=��� �#�����'�3�g�2�����/�<�
����������
Requête brute (extrait)
����o���k��RH��#�:N�ⴂ/� T���y�h�����="��� ��,��n�Y�bhl�(=':���oȢד���幐�(� ���9�k�5�=��� �#�����'�3�g�2�����/�<� �������������syndication.twimg.com������ ����������� �����#�����g`��B���<�XO�iD�������=]��L� ��B��� ���LDt}�����`~G���h?2�(qݍ*����(ى/���
Meta JSON brut
{
"tls_ja3_hash": "18e9afaf91db6f8a2470e7435c2a1d6b",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 13,
"bytes_in": 372,
"payload_entropy": 6.827478645460878,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8531,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 26,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "66fa9b3a8209916c8dd0ae0b7e9df3a8210ba4db",
"event_fingerprint": "248ae0d7fa601af5e1129a71dad6f27812533183",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "18e9afaf91db6f8a2470e7435c2a1d6b",
"payload_hash": "8b81809bfd53087ba03b6f3907cd619b",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 8531,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd",
"payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"evidence": {
"request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd",
"payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a6e2154cfa3c2bcf15fd6d2c55b8d88e2e9ea3e4",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9080
|
http
|
Scanner web
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9080
Chemin / cible
/
Confiance classification
95%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9080
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "619292ecb05b33d53073614c09ef5a4ed42429f0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.1098214559288335,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 9080,
"risk_waf": 57.5,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 57.5,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 44,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "007cc1ed1d66ba7331c00d683c66d8ed2be42dd2",
"event_fingerprint": "61865969d96150e256d39c83a8c1dbfe97517f54",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "30ddce113d380cf33f1e8cb2555e6cba",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9080,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"confidence": 0.95,
"classification_confidence": 0.95,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"event_signature": "e1dd1c2e51c337b3c6cced28f3f8aad359e35a4c",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8085
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8085
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.104109930709399,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "98c5aee0c2b0e6a77a9ed8691b666bd9bc9f8343",
"event_fingerprint": "39b0e5af9c5a517e28c065fe67fd86bf8be318fa",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
20256
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
81
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
81
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 216,
"payload_entropy": 5.078899861401631,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "1781bc0a8aa9a74602f07919f1d0485a0d7a5c10",
"event_fingerprint": "03badc3551a4f44339f123528b3672cbfed8ce84",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
24156
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
24156
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
24156
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
24156
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 31
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
24156
|
http
|
Sonde HTTP
|
Élevée
|
Moyen · 61
|
|
Étape
—
WAF
6
Recommandation
—
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
24156
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": "6759669debf8269b31bfa59fa580a7270df1a21d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 80,
"payload_entropy": 4.876641733102591,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 1,
"risk_score": 61,
"campaign_key": "33453ed795c1c79ca1e91887b79da7a106bf069c",
"event_fingerprint": "87122fd4da748f3a528c36a149ed64feda16ba45",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
24156
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
81
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
81
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 216,
"payload_entropy": 5.078899861401631,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "1781bc0a8aa9a74602f07919f1d0485a0d7a5c10",
"event_fingerprint": "03badc3551a4f44339f123528b3672cbfed8ce84",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
990
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
990
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|