17/06/2026 03:08:38 UTC
TCP
5222 · XMPP
xmpp probe
xmpp probe · via XMPP:5222 · (sonde / probe)
Élevée
Moyen · 42
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
XMPP
WAF
—
Recommandation
Surveiller
Tags
net_xmpp_probe
xmpp_emulated
xmpp_payload
xmpp_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5222
Chemin / cible
—
Service
XMPP
Payload
<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en-US' to='.
Pourquoi cette classification : Type « xmpp_probe » (signaux protocolaires) · confiance 66%
Confiance classification
66%
Risque capteur
Moyen
· 42
Confiance : Confiance 66 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0530
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
XMPP stream
User-Agent
—
Règles WAF
—
Payload (extrait)
<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en-US' to='.
Requête brute (extrait)
<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='en-US' to='.' version='1.0'>
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3c3f786d6c2076657273696f6e3d22312e30223f3e3c73747265616d3a73747265616d20786d6c6e733d226a61626265723a636c69656e74222066726f6d3d22686f6e6579706f742e6c6f63616c222069643d22687031223e3c73747265616d3a66656174757265733e3c6d656368616e69736d7320786d6c6e733d2275726e",
"emulator_response_len": 218,
"bytes_in": 144,
"payload_entropy": 4.638758186570317,
"port_category": "registered",
"org": "Google LLC",
"service": "xmpp",
"app_proto": "xmpp",
"asn": 396982,
"country": "US",
"dst_port": 5222,
"risk_waf": 8,
"risk_classification": 40,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 40,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "60678c06990b182bedd7b86b04acab9d2e260215",
"event_fingerprint": "e9276407314d5a0114cd546a2ee8e5043be9e0f6",
"classification_reason": "Type \u00ab xmpp_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%",
"confidence": 0.66,
"classification_confidence": 0.66,
"precision_score": 73,
"precision_signals": [
"pat-0530",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0530",
"INT-upstream"
],
"matched_patterns": [
"pat-0284",
"pat-0103",
"pat-0530"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass",
"XMPP stream"
],
"pattern_ids": [
"pat-0284",
"pat-0103",
"pat-0530"
],
"confidence_breakdown": {
"waf": 8,
"classification": 40,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42
},
"named_classification_skipped": false,
"service_name": "xmpp",
"risk_confidence_factor": 66,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9d9896a53a689722565f038fc5a999e6",
"path_pattern_hash": "6872bf2b034c4a30cbdf1be41d1b346f"
},
"target_context": {
"dst_port": 5222,
"service": "xmpp",
"service_name": "xmpp",
"risk_score": 42
},
"payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.' version='1.0'>",
"payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"evidence": {
"request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.' version='1.0'>",
"payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"classification_reason": "Type \u00ab xmpp_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a906ae69d9008620ad6e90e3f9c077f0c5370137",
"protocol_details": {
"payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"port": 5222,
"service": "xmpp",
"service_label_fr": "XMPP"
},
"evidence_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"attack_vector": "xmpp probe \u00b7 via XMPP:5222 \u00b7 (sonde \/ probe)",
"target_port_label": "5222 \u00b7 XMPP",
"emulator_service": "xmpp",
"confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xmpp_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%",
"classification_reason_label_fr": "Type \u00ab xmpp_probe \u00bb (signaux protocolaires) \u00b7 confiance 66%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 66,
"confidence_breakdown": {
"waf": 8,
"classification": 40,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "xmpp",
"service_label_fr": "XMPP",
"dst_port": 5222,
"protocol_emulated": true,
"tags_summary": [
"pat-0530",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0530",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-xmpp",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"port": 5222,
"service": "xmpp",
"service_label_fr": "XMPP"
},
"attack_vector": "xmpp probe \u00b7 via XMPP:5222 \u00b7 (sonde \/ probe)",
"evidence_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='en-US' to='.",
"target_port_label": "5222 \u00b7 XMPP",
"emulator_service": "xmpp",
"confidence_reason": "Confiance 66 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 66 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "xmpp",
"service_banner": "honeypot-xmpp",
"service_os": "linux",
"dst_port": "5222"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_xmpp_probe",
"xmpp_emulated",
"xmpp_payload",
"xmpp_probe"
],
"asn_dc_heuristic": true
}
17/06/2026 02:25:23 UTC
TCP
9091 · KAFKA JMX
Sonde MongoDB
mongodb probe · via KAFKA JMX:9091 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
KAFKA-JMX
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9091
Chemin / cible
—
Service
KAFKA JMX
Payload
GET / HTTP/1.1 Host: 62.3.50.33:9091 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Pourquoi cette classification : Type « mongodb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0460
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:9091
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:9091 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206b61666b615f6a6d7820726561647920706f72743d393039310d0a",
"emulator_response_len": 40,
"bytes_in": 218,
"payload_entropy": 5.098398405489966,
"port_category": "registered",
"org": "Google LLC",
"service": "kafka-jmx",
"app_proto": "kafka-jmx",
"asn": 396982,
"country": "US",
"dst_port": 9091,
"risk_waf": 8,
"risk_classification": 55,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3fabe5a250585ea86f69f4c4b1190c201cd8e76f",
"event_fingerprint": "ad6f90f31a2155b40c6367185f89d9a8411ad654",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0460"
],
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"service_name": "kafka-jmx",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b2583020a897d36f7daa5c7290aa9670",
"path_pattern_hash": "64fbc3aee24db4a0fc1ea9e5fbb0e29c"
},
"target_context": {
"dst_port": 9091,
"service": "kafka-jmx",
"service_name": "kafka-jmx",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "480acb7c28e56c3af6c00986d3e9e3dc1aca515d",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 9091,
"service": "kafka-jmx",
"service_label_fr": "KAFKA JMX"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "mongodb probe \u00b7 via KAFKA JMX:9091 \u00b7 (sonde \/ probe)",
"target_port_label": "9091 \u00b7 KAFKA JMX",
"emulator_service": "kafka-jmx",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "kafka-jmx",
"service_label_fr": "KAFKA JMX",
"dst_port": 9091,
"protocol_emulated": true,
"tags_summary": [
"pat-0460"
],
"tags_summary_labels_fr": [
"pat-0460"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-kafka-jmx",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"port": 9091,
"service": "kafka-jmx",
"service_label_fr": "KAFKA JMX"
},
"attack_vector": "mongodb probe \u00b7 via KAFKA JMX:9091 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9091\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "9091 \u00b7 KAFKA JMX",
"emulator_service": "kafka-jmx",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "kafka_jmx",
"service_banner": "honeypot-kafka-jmx",
"service_os": "linux",
"dst_port": "9091"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mongodb_hello_probe",
"net_mongodb_probe"
],
"asn_dc_heuristic": true
}
09/06/2026 22:10:18 UTC
TCP
5903 · VNC 3
Sonde port 5903/TCP
port 5903 tcp · via VNC 3:5903 · (sonde / probe)
Élevée
Moyen · 41
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
VNC-3
WAF
—
Recommandation
Surveiller
Tags
net_vnc_probe
vnc_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5903
Chemin / cible
—
Preuve honeypot — Sonde port 5903/TCP
Connexion détectée sur le port 5903 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5903_tcp » (signaux protocolaires) · confiance 69%
Confiance classification
69%
Risque capteur
Moyen
· 41
Confiance : Confiance 69 % — Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1 Signaux
Tcp Vnc Auth
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "524642203030332e3030380a",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": "vnc-3",
"app_proto": "vnc-3",
"asn": 396982,
"country": "US",
"dst_port": 5903,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 41,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "8f34496d5166832fc6cac5aaedc6543fb4342b9b",
"event_fingerprint": "a8d3fed671438e2c65c81445e5e14021e47b4e84",
"classification_reason": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 82,
"precision_signals": [
"INT-tcp-vnc-auth"
],
"kb_rule_ids": [
"INT-tcp-vnc-auth"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"named_classification_skipped": true,
"named_candidate": "vnc_bruteforce",
"service_name": "vnc-3",
"risk_confidence_factor": 69,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "e12eeafa5ebc622db8927e7dea35233f"
},
"target_context": {
"dst_port": 5903,
"service": "vnc-3",
"service_name": "vnc-3",
"risk_score": 41
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "79a81809fd3a865777844fd4fc1d993788e14dc5",
"protocol_details": {
"port": 5903,
"service": "vnc-3",
"service_label_fr": "VNC 3"
},
"attack_vector": "port 5903 tcp \u00b7 via VNC 3:5903 \u00b7 (sonde \/ probe)",
"target_port_label": "5903 \u00b7 VNC 3",
"emulator_service": "vnc-3",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"classification_reason_label_fr": "Type \u00ab port_5903_tcp \u00bb (signaux protocolaires) \u00b7 confiance 69%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 41\/100",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 41
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 41,
"risk_label": "Moyen",
"service_name": "vnc-3",
"service_label_fr": "VNC 3",
"dst_port": 5903,
"protocol_emulated": true,
"tags_summary": [
"INT-tcp-vnc-auth"
],
"tags_summary_labels_fr": [
"Tcp Vnc Auth"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-vnc-3",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 5903,
"service": "vnc-3",
"service_label_fr": "VNC 3"
},
"attack_vector": "port 5903 tcp \u00b7 via VNC 3:5903 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5903 \u00b7 VNC 3",
"emulator_service": "vnc-3",
"confidence_reason": "Confiance 69 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "vnc_3",
"service_banner": "honeypot-vnc-3",
"service_os": "linux",
"dst_port": "5903"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_vnc_probe",
"vnc_emulated"
],
"asn_dc_heuristic": true
}
08/06/2026 19:45:47 UTC
TCP
2083 · HTTP
Scanner web
web scanner · via HTTP:2083 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2083
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2083
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2083 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "ea42ecbc54c9c495a92c7dd11f2463e9f5b9ede0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.098398405489966,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 2083,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "efd9b6935cf1b10838e356bebac207c7d051f2a2",
"event_fingerprint": "0c998034dc7b1b6ea11c95b38212d19a27318c7e",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "4ba794a18e4beeac9f1346d8b5e8fcda",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2083,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a9cc66ff68276eb3e931369ba49f4ce30c3d9514",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 2083,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"attack_vector": "web scanner \u00b7 via HTTP:2083 \u00b7 (sonde \/ probe)",
"target_port_label": "2083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2083,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 2083,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2083 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2083\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"target_port_label": "2083 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner",
"net_web_probe"
],
"asn_dc_heuristic": true
}
06/06/2026 06:24:04 UTC
TCP
3909
Sonde PostgreSQL
Élevée
Faible · 25
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3909
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������4���V�`x���a����ql/�S�X�p)� o$�������=�Z��!;IeF��C�Sw���2;|��&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
��������������4���V�`x���a�� �ql/�S�X�p)� o$�������=�Z��!;IeF��C�Sw�� 2;|��&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �Lr~? ;��a���;�G���UOG�O���ES��w
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.820807557557757,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 3909,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 25,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "60a33d4dd48ad9aea99e1fcb205053eca5669e25",
"event_fingerprint": "177c929cbae5cbe282d60bdc9f464ab3d126bf22",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "6a2909f7928b86e547dcb29f0cb3e3af",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 3909,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4\ufffd\u000f\ufffdV\u0002`x\ufffd\ufffd\ufffda\ufffd\ufffd\f\ufffdql\/\ufffdS\ufffdX\ufffdp)\ufffd o$\u0019\ufffd\u001d\u0019\u000f\ufffd\u000e=\bZ\ufffd\ufffd!;IeF\ufffd\ufffdC\ufffdSw\ufffd\ufffd\u000b2;|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4\ufffd\u000f\ufffdV\u0002`x\ufffd\ufffd\ufffda\ufffd\ufffd\f\ufffdql\/\ufffdS\ufffdX\ufffdp)\ufffd o$\u0019\ufffd\u001d\u0019\u000f\ufffd\u000e=\bZ\ufffd\ufffd!;IeF\ufffd\ufffdC\ufffdSw\ufffd\ufffd\u000b2;|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdLr~?\f;\ufffd\ufffda\ufffd\u0006\ufffd;\ufffdG\u000e\ufffd\ufffdUOG\ufffdO\ufffd\ufffd\ufffdES\ufffd\u0012w",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4\ufffd\u000f\ufffdV\u0002`x\ufffd\ufffd\ufffda\ufffd\ufffd\f\ufffdql\/\ufffdS\ufffdX\ufffdp)\ufffd o$\u0019\ufffd\u001d\u0019\u000f\ufffd\u000e=\bZ\ufffd\ufffd!;IeF\ufffd\ufffdC\ufffdSw\ufffd\ufffd\u000b2;|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4\ufffd\u000f\ufffdV\u0002`x\ufffd\ufffd\ufffda\ufffd\ufffd\f\ufffdql\/\ufffdS\ufffdX\ufffdp)\ufffd o$\u0019\ufffd\u001d\u0019\u000f\ufffd\u000e=\bZ\ufffd\ufffd!;IeF\ufffd\ufffdC\ufffdSw\ufffd\ufffd\u000b2;|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdLr~?\f;\ufffd\ufffda\ufffd\u0006\ufffd;\ufffdG\u000e\ufffd\ufffdUOG\ufffdO\ufffd\ufffd\ufffdES\ufffd\u0012w",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4\ufffd\u000f\ufffdV\u0002`x\ufffd\ufffd\ufffda\ufffd\ufffd\f\ufffdql\/\ufffdS\ufffdX\ufffdp)\ufffd o$\u0019\ufffd\u001d\u0019\u000f\ufffd\u000e=\bZ\ufffd\ufffd!;IeF\ufffd\ufffdC\ufffdSw\ufffd\ufffd\u000b2;|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "625b5dccd36430c58d7077445e24b7bbd4b27655",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
06/06/2026 06:24:04 UTC
TCP
3909
Sonde PostgreSQL
Élevée
Faible · 25
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3909
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������(�}���k���`�_������e:?���[c�����h�����/�+�0�,�����'�#��� �(�$���
�������g�k�3�9���������<�=�/�5�����
��������������
Requête brute (extrait)
������������(�}���k���`�_������e:?���[c�����h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ���������������2���������8�@�f�j�������5���������� ����������� ����� � � ��������������������
Meta JSON brut
{
"tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 29,
"bytes_in": 207,
"payload_entropy": 4.918166970581096,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 3909,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 25,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "60a33d4dd48ad9aea99e1fcb205053eca5669e25",
"event_fingerprint": "16d64b9caed1429cb0a3db9a66030e4e57f7f510",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"payload_hash": "7964fb3f1d5253dca13edce62616fa85",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 3909,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd}\ufffd\ufffd\ufffdk\ufffd\ufffd\u0003`\ufffd_\u0017\u0005\ufffd\ufffd\ufffd\ufffde:?\ufffd\ufffd\ufffd[c\ufffd\ufffd\u001a\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd}\ufffd\ufffd\ufffdk\ufffd\ufffd\u0003`\ufffd_\u0017\u0005\ufffd\ufffd\ufffd\ufffde:?\ufffd\ufffd\ufffd[c\ufffd\ufffd\u001a\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd}\ufffd\ufffd\ufffdk\ufffd\ufffd\u0003`\ufffd_\u0017\u0005\ufffd\ufffd\ufffd\ufffde:?\ufffd\ufffd\ufffd[c\ufffd\ufffd\u001a\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd}\ufffd\ufffd\ufffdk\ufffd\ufffd\u0003`\ufffd_\u0017\u0005\ufffd\ufffd\ufffd\ufffde:?\ufffd\ufffd\ufffd[c\ufffd\ufffd\u001a\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd}\ufffd\ufffd\ufffdk\ufffd\ufffd\u0003`\ufffd_\u0017\u0005\ufffd\ufffd\ufffd\ufffde:?\ufffd\ufffd\ufffd[c\ufffd\ufffd\u001a\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "364b4c8571650a38b1a99730377db0c045901d78",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
06/06/2026 00:31:48 UTC
TCP
995
Sonde POP3
Élevée
Faible · 23
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_pop3_probe
pop3s_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
995
Chemin / cible
—
Pourquoi cette classification : Type « pop3_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
����o���k��RH��#�:N�ⴂ/� T���y�h�����="��� ��,��n�Y�bhl�(=':���oȢד���幐�(�
���9�k�5�=��� �#�����'�3�g�2�����/�<�
����������
Requête brute (extrait)
����o���k��RH��#�:N�ⴂ/� T���y�h�����="��� ��,��n�Y�bhl�(=':���oȢד���幐�(� ���9�k�5�=��� �#�����'�3�g�2�����/�<� �������������syndication.twimg.com������ ����������� �����#�����g`��B���<�XO�iD�������=]��L� ��B��� ���LDt}�����`~G���h?2�(qݍ*����(ى/���
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a",
"emulator_response_len": 25,
"bytes_in": 378,
"payload_entropy": 6.862122963505114,
"port_category": "well_known",
"org": "Google LLC",
"service": "pop3s",
"app_proto": "pop3s",
"asn": 396982,
"country": "US",
"dst_port": 995,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 23,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "71fb6554660ec7f81d99778d69d864b9864989b0",
"event_fingerprint": "0353453bbb76e4d6b1b3ea18095b3c0820f92351",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8b81809bfd53087ba03b6f3907cd619b",
"path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a"
},
"target_context": {
"dst_port": 995,
"service": "pop3s"
},
"payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd",
"payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"evidence": {
"request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d*\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd",
"payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018",
"classification_reason": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"classification_reason": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "34dfc52c96339dc873537613200b4c853d5aebc6",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_pop3_probe",
"pop3s_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
01/06/2026 00:07:22 UTC
TCP
3388
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 00:07:21 UTC
TCP
3388
—
Sonde RDP
Élevée
Élevé · 67
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 00:07:21 UTC
TCP
3388
—
Sonde RDP
Élevée
Élevé · 67
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 00:07:21 UTC
TCP
3388
—
Sonde RDP
Élevée
Moyen · 62
Détails
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 17:30:27 UTC
TCP
10911
—
Sonde port
Faible
Faible · 5
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 17:30:27 UTC
TCP
10911
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
29/05/2026 01:51:53 UTC
TCP
111
rpcbind
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 22:55:50 UTC
TCP
5985
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
41
Recommandation
—
Tags
950079:sqli-19
950319:lfi-14
950326:rce-0
950327:rce-0
Cible HTTP
POST
/wsman
TLS SNI
—
Capteur
paris-1
Méthode
POST
Port
5985
Chemin / cible
/wsman
Ligne de requête
POST / HTTP/1.1
User-Agent
—
Règles WAF
950079:sqli-19
950319:lfi-14
950326:rce-0
950327:rce-0
950407:ssrf-3
950471:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "ddb03e7308adcf12471acab96763196d66ec0139",
"http_target_hash": "f7f785f0382ee40d458513e78b6bfa3405678b3d",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 348,
"payload_entropy": 5.375488925768778,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 9,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "c78edd7f9efb442d053ab279d1a01cdeb171ef39",
"event_fingerprint": "536c5e811d95795d552fc5a9070f80100f8f96f7",
"tags_list": [
"950079:sqli-19",
"950319:lfi-14",
"950326:rce-0",
"950327:rce-0",
"950407:ssrf-3",
"950471:nosqli-3",
"http_jwt_body",
"http_no_ua",
"http_ssrf_body"
]
}
26/05/2026 08:39:07 UTC
TCP
4443
Connexion TLS
Faible
Faible · 7
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
Cible HTTP
—
TLS SNI
www.blacklistip.com
Capteur
paris-1
26/05/2026 08:39:07 UTC
TCP
4443
Connexion TLS
Faible
Faible · 7
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
Cible HTTP
—
TLS SNI
www.blacklistip.com
Capteur
paris-1
24/05/2026 07:30:32 UTC
TCP
4432
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 07:30:32 UTC
TCP
4432
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 03:43:47 UTC
TCP
445
smb attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 03:43:47 UTC
TCP
445
smb attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 03:43:46 UTC
TCP
445
smb attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 05:04:17 UTC
TCP
10010
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
10010
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "d929186c363ddc17983fd75243a4ce2c7a6bf818",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 219,
"payload_entropy": 5.0824447268203805,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "2ce8a4cee82959675e1c7dda9eb3a6b2e946c884",
"event_fingerprint": "10067b865f3d45e834659dbda5bd50a06e9443ec",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
22/05/2026 19:49:35 UTC
TCP
12694
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
22/05/2026 19:49:34 UTC
TCP
12694
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 02:14:59 UTC
TCP
8883
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
20/05/2026 02:14:59 UTC
TCP
8883
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
18/05/2026 20:46:23 UTC
TCP
943
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
18/05/2026 20:46:23 UTC
TCP
943
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
18/05/2026 19:07:27 UTC
TCP
554
http
Faible
Faible · 14
Détails
Voir
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
OPTIONS
*
TLS SNI
—
Capteur
paris-1
Méthode
OPTIONS
Port
554
Chemin / cible
*
Ligne de requête
OPTIONS / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 1,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 31,
"payload_entropy": 4.082597923010943,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "dd14a67a7e7547d6f673d73806243de4b6dda2c5",
"event_fingerprint": "7d55a1bf22da231ba44e425cb1fdedaef44e969c",
"tags_list": [
"http_no_ua"
]
}