|
|
TCP |
8880 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8880 · (sonde / probe) · → /_5knbz_d7st
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET /_5knbz_d7st UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/_5knbz_d7st
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8880
Chemin / cible
/_5knbz_d7st
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /_5knbz_d7st HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /_5knbz_d7st HTTP/1.1
Host: 62.3.50.33:8880
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.
Requête brute (extrait)
GET /_5knbz_d7st HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d",
"http_target_hash": "57cfa9fb55526bf1dbae3d477cef122a06ae783a",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.267010723021234,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "2f0437e5e1ef84ed5b14d88e30d31d16ead71d30",
"event_fingerprint": "2bd87f39edb52be0b4d18bf93d031fcf96188a41",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "babf5b312ecded19fc6213a78fca17eb",
"path_pattern_hash": "9a7888cdbb60afeb40b5c5d390b98758"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"method": "GET",
"path": "\/_5knbz_d7st",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/_5knbz_d7st HTTP\/1.1",
"request_sample": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"evidence": {
"method": "GET",
"path": "\/_5knbz_d7st",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/_5knbz_d7st HTTP\/1.1",
"request_sample": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4b6d1277658d63e4db39c7af5713012c54cd6ca5",
"protocol_details": {
"http_method": "GET",
"http_path": "\/_5knbz_d7st",
"request_line": "GET \/_5knbz_d7st HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_5knbz_d7st",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/_5knbz_d7st",
"request_line": "GET \/_5knbz_d7st HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/_5knbz_d7st",
"evidence_snippet": "GET \/_5knbz_d7st HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8880:8880 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Service
HTTP ALT 8880
Payload
�����������2��ď"�#6�_�j�wk�������K�$g/ש�j �Z��b_j[���DgPӧ�������%}?�3đ�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������2��ď"�#6�_�j�wk�������K�$g/ש�j �Z��b_j[���DgPӧ�������%}?�3đ�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������2��ď"�#6�_�j�wk�������K�$g/ש�j �Z��b_j[���DgPӧ�������%}?�3đ�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �]�3�`��W!,=L�? ����?�G4O��!�T
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.850991987198363,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a678a325f39f135d725fa17d8a0ab23c974128d7",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4b0ab69312895025b09733a52e67c9dc",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdj\u0003wk\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffd\u0019b_j[\u000e\ufffd\u0007DgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?\u001d3\u0111\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdj\u0003wk\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffd\u0019b_j[\u000e\ufffd\u0007DgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?\u001d3\u0111\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd]\ufffd3\ufffd`\ufffd\ufffdW!,=L\ufffd?\r\ufffd\ufffd\ufffd\ufffd?\ufffdG4O\u000f\u0005!\u0013T",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdj\u0003wk\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffd\u0019b_j[\u000e\ufffd\u0007DgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?\u001d3\u0111\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "525852387555ba6bb9ee190739dea145668265e6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdj\u0003wk\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffd\u0019b_j[\u000e\ufffd\u0007DgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?\u001d3\u0111\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"evidence_snippet": "\ufffd\ufffd2\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdjwk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffdb_j[\ufffdDgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?3\u0111&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdj\u0003wk\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffd\u0019b_j[\u000e\ufffd\u0007DgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?\u001d3\u0111\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd2\ufffd\ufffd\u010f\"\ufffd#6\ufffd_\ufffdjwk\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd$g\/\u05e9\ufffdj \ufffdZ\ufffdb_j[\ufffdDgP\u04e7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd%}?3\u0111&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8880 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8880 · (sonde / probe) · → /.well-known/security.txt
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /.well-known/security.txt UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
33
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/.well-known/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8880
Chemin / cible
/.well-known/security.txt
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MITRE T1595 active scan
LFI Double-dot bypass
Probe /.well-known/
UA censys
Ligne de requête
GET /.well-known/security.txt HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /.well-known/security.txt HTTP/1.1
Host: 62.3.50.33:8880
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://
Requête brute (extrait)
GET /.well-known/security.txt HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e3b20636861727365743d7574662d380d0a436f6e74656e742d4c656e6774683a2039350d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a436f6e74616374",
"emulator_response_len": 216,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d",
"http_target_hash": "45c9b9d0d93f4f7ad3de5a5667f00a2d2df4266d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.2223036257689035,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 82.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 44,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "b99f1c75ff737c5a231e2584f1418ccbfbbd9bc3",
"event_fingerprint": "12ce5959f076eea62b91555f433fc2f83ff62376",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 115,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream"
],
"matched_patterns": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"matched_pattern_names": [
"MITRE T1595 active scan",
"LFI Double-dot bypass",
"Probe \/.well-known\/",
"UA censys"
],
"pattern_ids": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 44,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "0bc5d275d0f6dfd038245a755a5bbad1",
"path_pattern_hash": "c8b429a17a0f3584726a903b01671348"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"payload_preview": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"evidence": {
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f7d462653c0eaba7c8c1df0896ab7e0f66200e50",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 82 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8880:8880 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Service
HTTP ALT 8880
Payload
�����������i��^ū�nIx��m*�R6����iA� �0�4�� �B0q��s�VLrd5:Z<L�ˁ������g/�����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������i��^ū�nIx��m*�R6����iA���0�4�� �B0q��s�VLrd5:Z<L�ˁ������g/�����&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������i��^ū�nIx��m*�R6����iA� �0�4�� �B0q��s�VLrd5:Z<L�ˁ������g/�����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ���~���,-"��k��Nf�QO,�пd[l���2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.84262470673917,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a678a325f39f135d725fa17d8a0ab23c974128d7",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "896b3d2c2bf51d9ebc257d8a6c304e06",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd\u0002^\u016b\u0001nIx\ufffd\ufffdm*\ufffdR6\ufffd\u001c\ufffd\u0015iA\ufffd\f\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\u001d\ufffds\ufffdVLrd5:Z<L\u001b\u02c1\u0016\ufffd\ufffd\ufffd\ufffd\ufffdg\/\u0005\u0019\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd\u0002^\u016b\u0001nIx\ufffd\ufffdm*\ufffdR6\ufffd\u001c\ufffd\u0015iA\ufffd\f\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\u001d\ufffds\ufffdVLrd5:Z<L\u001b\u02c1\u0016\ufffd\ufffd\ufffd\ufffd\ufffdg\/\u0005\u0019\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd~\ufffd\u0019\u0003,-\"\ufffd\ufffdk\ufffd\ufffdNf\ufffdQO,\u0003\u043fd[l\ufffd\ufffd\ufffd2",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd\u0002^\u016b\u0001nIx\ufffd\ufffdm*\ufffdR6\ufffd\u001c\ufffd\u0015iA\ufffd\f\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\u001d\ufffds\ufffdVLrd5:Z<L\u001b\u02c1\u0016\ufffd\ufffd\ufffd\ufffd\ufffdg\/\u0005\u0019\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0eff62e629d6eb25222cb80b81454045ff368c1f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd\u0002^\u016b\u0001nIx\ufffd\ufffdm*\ufffdR6\ufffd\u001c\ufffd\u0015iA\ufffd\f\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\u001d\ufffds\ufffdVLrd5:Z<L\u001b\u02c1\u0016\ufffd\ufffd\ufffd\ufffd\ufffdg\/\u0005\u0019\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"evidence_snippet": "\ufffd\ufffdi\ufffd^\u016bnIx\ufffd\ufffdm*\ufffdR6\ufffd\ufffdiA\ufffd\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\ufffds\ufffdVLrd5:Z<L\u02c1\ufffd\ufffd\ufffd\ufffd\ufffdg\/\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufffd\u0002^\u016b\u0001nIx\ufffd\ufffdm*\ufffdR6\ufffd\u001c\ufffd\u0015iA\ufffd\f\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\u001d\ufffds\ufffdVLrd5:Z<L\u001b\u02c1\u0016\ufffd\ufffd\ufffd\ufffd\ufffdg\/\u0005\u0019\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdi\ufffd^\u016bnIx\ufffd\ufffdm*\ufffdR6\ufffd\ufffdiA\ufffd\ufffd0\ufffd4\ufffd\ufffd \ufffdB0q\ufffds\ufffdVLrd5:Z<L\u02c1\ufffd\ufffd\ufffd\ufffd\ufffdg\/\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8880 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8880 · (sonde / probe) · → /favicon.ico
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8880
Chemin / cible
/favicon.ico
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:8880
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600",
"emulator_response_len": 130,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 178,
"payload_entropy": 5.134700721863587,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "2f0437e5e1ef84ed5b14d88e30d31d16ead71d30",
"event_fingerprint": "ebf79eab0e2daacb2d226b1d30833748a278045f",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "120966ff28b987f60b11d8722b62c79e",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fc56c7b8e9fba5ec1dc2fb4721a07e82bf698f40",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8880 · HTTP
|
http
|
Sonde PostgreSQL
postgres probe · via HTTP:8880 · (sonde / probe) · → *
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
PRI *
Émulateur
HTTP
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
net_web_probe
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
8880
Chemin / cible
*
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
PostgreSQL startup
ET H.323 setup
NFS RPC mount
Minecraft varint handshake
Ligne de requête
PRI * HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
�������������������Bh��������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "a65f44c5fea89b05abe4c39c79cfea14fbc63552",
"event_fingerprint": "d5775420bfa2875def2af44b681eb32ff748742c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"PostgreSQL startup",
"ET H.323 setup",
"NFS RPC mount",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe3435fc30fb19e768a81e744ede3fba",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 35
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"evidence": {
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e46c315f7b9aebda41b442896d614cc172ba952",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"attack_vector": "postgres probe \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "postgres probe \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua",
"net_web_probe"
]
}
|
|
|
TCP |
8880 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8880 · (sonde / probe)
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8880
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8880
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Accep
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.183301719458293,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 75,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "d4300c6decb57d644bd267aea3cd6301ad539551",
"event_fingerprint": "1318e946fea33066fcb787572a2a8128d6ad5a3d",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "402b5469438497e6b6ac28076979f1f4",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ee14d1a53837725baddf0a0185621fed285a0143",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8880"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8880:8880 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Service
HTTP ALT 8880
Payload
����������� �y������N�.Si'�r<���?�C�m�%��� �J�.�=c��v�&���b,�/-!�`���wz���8�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����������� �y������N�.Si'�r<���?�C�m�%��� �J�.�=c��v�&���b,�/-!�`���wz���8�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
����������� �y������N�.Si'�r<���?�C�m�%��� �J�.�=c��v�&���b,�/-!�`���wz���8�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �̿�r����\�刉��F�F�wB_����T[6�\
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.827175760701428,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a678a325f39f135d725fa17d8a0ab23c974128d7",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6cde21d3c28712a02b668f53aff9aaf3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffdy\ufffd\ufffd\u0012\ufffd\ufffd\ufffdN\u000f.Si'\ufffdr<\ufffd\u0012\ufffd?\ufffdC\u0003m\ufffd%\ufffd\u0016\u001a \ufffdJ\ufffd.\ufffd=c\u0011\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffdy\ufffd\ufffd\u0012\ufffd\ufffd\ufffdN\u000f.Si'\ufffdr<\ufffd\u0012\ufffd?\ufffdC\u0003m\ufffd%\ufffd\u0016\u001a \ufffdJ\ufffd.\ufffd=c\u0011\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u033f\ufffdr\u0010\ufffd\ufffd\ufffd\\\ufffd\u5209\ufffd\u0001F\ufffdF\ufffdwB_\ufffd\ufffd\ufffd\ufffdT[6\u0012\\",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffdy\ufffd\ufffd\u0012\ufffd\ufffd\ufffdN\u000f.Si'\ufffdr<\ufffd\u0012\ufffd?\ufffdC\u0003m\ufffd%\ufffd\u0016\u001a \ufffdJ\ufffd.\ufffd=c\u0011\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f387de3c851c9d668f1b91416da1510dcebe8a74",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffdy\ufffd\ufffd\u0012\ufffd\ufffd\ufffdN\u000f.Si'\ufffdr<\ufffd\u0012\ufffd?\ufffdC\u0003m\ufffd%\ufffd\u0016\u001a \ufffdJ\ufffd.\ufffd=c\u0011\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"evidence_snippet": "\ufffd\ufffd\t\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdN.Si'\ufffdr<\ufffd\ufffd?\ufffdCm\ufffd%\ufffd \ufffdJ\ufffd.\ufffd=c\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffdy\ufffd\ufffd\u0012\ufffd\ufffd\ufffdN\u000f.Si'\ufffdr<\ufffd\u0012\ufffd?\ufffdC\u0003m\ufffd%\ufffd\u0016\u001a \ufffdJ\ufffd.\ufffd=c\u0011\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\t\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdN.Si'\ufffdr<\ufffd\ufffd?\ufffdCm\ufffd%\ufffd \ufffdJ\ufffd.\ufffd=c\ufffdv\ufffd&\ufffd\ufffd\ufffdb,\ufffd\/-!\ufffd`\ufffd\ufffd\ufffdwz\ufffd\ufffd\ufffd8&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
http-alt-8880
http-alt-8880 · via HTTP ALT 8880:8880 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Service
HTTP ALT 8880
Payload
GET / HTTP/1.1 Host: 62.3.50.33:8880
Pourquoi cette classification : Type « http-alt-8880 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8880
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 41,
"payload_entropy": 4.222690418935626,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "42586675e4849e15cc49025daabb7b97631ac6d9",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4e159343443030a290c25e9a9aa510bc",
"path_pattern_hash": "1da24bfe41e285bcb59da34bdc01a7f0"
},
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"classification_reason": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "87bcdf249789cff727a40c96a672cfb4c74a7a18",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"attack_vector": "http-alt-8880 \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "http-alt-8880 \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8880:8880 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Service
HTTP ALT 8880
Payload
��������������Aܷ�|�6Ĩ�$(��"ӹ�s���iQ�F��j ���l�)��E��Ri�G����x:�Z�T�~���T��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������Aܷ�|�6Ĩ�$(��"ӹ�s���iQ�F��j ���l�)��E��Ri�G����x:�Z�T�~���T��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
��������������Aܷ�|�6Ĩ�$(��"ӹ�s���iQ�F��j ���l�)��E��Ri�G����x:�Z�T�~���T��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ����yG�p$����3ۅ����H��P�o�L��-
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.839522352921771,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a678a325f39f135d725fa17d8a0ab23c974128d7",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bb1060971e5d8876ce324dc61cd60f27",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\u0737\u0000|\ufffd6\u0128\ufffd$(\u0018\ufffd\"\u04f9\ufffds\ufffd\u0003\ufffdiQ\ufffdF\ufffd\ufffdj \u0017\ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\u0737\u0000|\ufffd6\u0128\ufffd$(\u0018\ufffd\"\u04f9\ufffds\ufffd\u0003\ufffdiQ\ufffdF\ufffd\ufffdj \u0017\ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0012\ufffd\ufffd\u0017yG\ufffdp$\ufffd\ufffd\ufffd\ufffd3\u06c5\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffdP\ufffdo\ufffdL\ufffd\ufffd-",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\u0737\u0000|\ufffd6\u0128\ufffd$(\u0018\ufffd\"\u04f9\ufffds\ufffd\u0003\ufffdiQ\ufffdF\ufffd\ufffdj \u0017\ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e6f6a93b1478eaf61c2953c30bda0a1c6f33f2a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\u0737\u0000|\ufffd6\u0128\ufffd$(\u0018\ufffd\"\u04f9\ufffds\ufffd\u0003\ufffdiQ\ufffdF\ufffd\ufffdj \u0017\ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdA\u0737|\ufffd6\u0128\ufffd$(\ufffd\"\u04f9\ufffds\ufffd\ufffdiQ\ufffdF\ufffd\ufffdj \ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdA\u0737\u0000|\ufffd6\u0128\ufffd$(\u0018\ufffd\"\u04f9\ufffds\ufffd\u0003\ufffdiQ\ufffdF\ufffd\ufffdj \u0017\ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdA\u0737|\ufffd6\u0128\ufffd$(\ufffd\"\u04f9\ufffds\ufffd\ufffdiQ\ufffdF\ufffd\ufffdj \ufffd\ufffdl\ufffd)\ufffd\ufffdE\ufffd\ufffdRi\ufffdG\ufffd\ufffd\ufffd\ufffdx:\ufffdZ\ufffdT\ufffd~\ufffd\ufffd\ufffdT\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8880 · HTTP ALT 8880
|
http-alt-8880
|
http-alt-8880
http-alt-8880 · via HTTP ALT 8880:8880 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8880
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8880
Chemin / cible
—
Pourquoi cette classification : Type « http-alt-8880 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8880",
"app_proto": "http-alt-8880",
"asn": 398722,
"country": "US",
"dst_port": 8880,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "54eb16f06b5a386a6c501d3a5a9d0547d3f2a649",
"event_fingerprint": "cd275046284c79b2c8b267829c0a7456b4c77905",
"classification_reason": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "http-alt-8880",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1da24bfe41e285bcb59da34bdc01a7f0"
},
"target_context": {
"dst_port": 8880,
"service": "http-alt-8880",
"service_name": "http-alt-8880",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4e4ad7f7b491c619c9072adb930d7ff10afdf838",
"protocol_details": {
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "http-alt-8880 \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8880 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8880",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 8880,
"service": "http-alt-8880",
"service_label_fr": "HTTP ALT 8880"
},
"attack_vector": "http-alt-8880 \u00b7 via HTTP ALT 8880:8880 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8880 \u00b7 HTTP ALT 8880",
"emulator_service": "http-alt-8880",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8880",
"service_banner": "honeypot-http-alt-8880",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
4369 · EPMD
|
epmd
|
epmd
epmd · via EPMD:4369 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
EPMD
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4369
Chemin / cible
—
Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a",
"emulator_response_len": 35,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "epmd",
"app_proto": "epmd",
"asn": 398722,
"country": "US",
"dst_port": 4369,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3",
"event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829",
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "epmd",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c"
},
"target_context": {
"dst_port": 4369,
"service": "epmd",
"service_name": "epmd",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "22531c50c4076e9401fba28a066d3db96533aa19",
"protocol_details": {
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "epmd",
"service_label_fr": "EPMD",
"dst_port": 4369,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-epmd",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "epmd",
"service_banner": "honeypot-epmd",
"service_os": "linux",
"dst_port": "4369"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
4369 · EPMD
|
epmd
|
epmd
epmd · via EPMD:4369 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
EPMD
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4369
Chemin / cible
—
Service
EPMD
Payload
GET / HTTP/1.1 Host: 62.3.50.33:4369
Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:4369
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a",
"emulator_response_len": 35,
"bytes_in": 41,
"payload_entropy": 4.259514199528965,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "epmd",
"app_proto": "epmd",
"asn": 398722,
"country": "US",
"dst_port": 4369,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "3a7633c347dae468c74c1448b6f653eb40537dfb",
"event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829",
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "epmd",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "25ac285b07d33f62055b5a9bc9dcfa72",
"path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c"
},
"target_context": {
"dst_port": 4369,
"service": "epmd",
"service_name": "epmd",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3b11c8147cacbc93c8f6bf9e2036e3ddf91e33fb",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "epmd",
"service_label_fr": "EPMD",
"dst_port": 4369,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-epmd",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:4369",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "epmd",
"service_banner": "honeypot-epmd",
"service_os": "linux",
"dst_port": "4369"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
4369 · EPMD
|
epmd
|
Sonde PostgreSQL
postgres probe · via EPMD:4369 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
EPMD
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4369
Chemin / cible
—
Service
EPMD
Payload
������������.aag��L��K���w?�N�T�~ ;�3B�]cf ܧ�⏆]�O�������� ��?�f����@�����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������.aag��L��K���w?�N�T�~�;�3B�]cf ܧ�⏆]�O�����������?�f����@�����&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������.aag��L��K���w?�N�T�~ ;�3B�]cf ܧ�⏆]�O�������� ��?�f����@�����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� rh�,�ο#R����� �N��� �D�!Ӌ���3
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a",
"emulator_response_len": 35,
"bytes_in": 243,
"payload_entropy": 5.830511779362344,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "epmd",
"app_proto": "epmd",
"asn": 398722,
"country": "US",
"dst_port": 4369,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "b7311c5a8b4d475aa3a4a336e2f83c02846c1df9",
"event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "epmd",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0d1921a9e8015ef8e96c442f0efd5099",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 4369,
"service": "epmd",
"service_name": "epmd",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT\u000f~\u000b;\u00123B\ufffd]cf \u0727\ufffd\u23c6]\u0011O\b\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\u0000\f\ufffd\ufffd?\ufffdf\u0004\ufffd\u0014\ufffd@\ufffd\ufffd\u001d\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT\u000f~\u000b;\u00123B\ufffd]cf \u0727\ufffd\u23c6]\u0011O\b\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\u0000\f\ufffd\ufffd?\ufffdf\u0004\ufffd\u0014\ufffd@\ufffd\ufffd\u001d\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 rh\ufffd,\u001e\u03bf#R\ufffd\ufffd\ufffd\ufffd\ufffd\u000b\ufffdN\ufffd\ufffd\ufffd\u000b\u0018D\u0002!\u04cb\ufffd\ufffd\ufffd3",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT\u000f~\u000b;\u00123B\ufffd]cf \u0727\ufffd\u23c6]\u0011O\b\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\u0000\f\ufffd\ufffd?\ufffdf\u0004\ufffd\u0014\ufffd@\ufffd\ufffd\u001d\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b0692c5ef02b9332ef69f9abc0d72a6637db6be8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT\u000f~\u000b;\u00123B\ufffd]cf \u0727\ufffd\u23c6]\u0011O\b\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\u0000\f\ufffd\ufffd?\ufffdf\u0004\ufffd\u0014\ufffd@\ufffd\ufffd\u001d\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"evidence_snippet": "\ufffd\ufffd\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT~;3B\ufffd]cf \u0727\ufffd\u23c6]O\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffdf\ufffd\ufffd@\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "epmd",
"service_label_fr": "EPMD",
"dst_port": 4369,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-epmd",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT\u000f~\u000b;\u00123B\ufffd]cf \u0727\ufffd\u23c6]\u0011O\b\ufffd\ufffd\ufffd\ufffd\u0010\ufffd\u0000\f\ufffd\ufffd?\ufffdf\u0004\ufffd\u0014\ufffd@\ufffd\ufffd\u001d\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "postgres probe \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd.aag\ufffd\ufffdL\ufffd\ufffdK\ufffd\ufffd\ufffdw?\ufffdN\ufffdT~;3B\ufffd]cf \u0727\ufffd\u23c6]O\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffdf\ufffd\ufffd@\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "epmd",
"service_banner": "honeypot-epmd",
"service_os": "linux",
"dst_port": "4369"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
4369 · EPMD
|
epmd
|
epmd
epmd · via EPMD:4369 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
EPMD
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4369
Chemin / cible
—
Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a",
"emulator_response_len": 35,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "epmd",
"app_proto": "epmd",
"asn": 398722,
"country": "US",
"dst_port": 4369,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3",
"event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829",
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "epmd",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c"
},
"target_context": {
"dst_port": 4369,
"service": "epmd",
"service_name": "epmd",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "22531c50c4076e9401fba28a066d3db96533aa19",
"protocol_details": {
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "epmd",
"service_label_fr": "EPMD",
"dst_port": 4369,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-epmd",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "epmd",
"service_banner": "honeypot-epmd",
"service_os": "linux",
"dst_port": "4369"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
4369 · EPMD
|
epmd
|
epmd
epmd · via EPMD:4369 · (sonde / probe)
|
Faible
|
Faible · 8
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
EPMD
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
4369
Chemin / cible
—
Pourquoi cette classification : Type « epmd » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 8
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742065706d6420726561647920706f72743d343336390d0a",
"emulator_response_len": 35,
"bytes_in": 3,
"payload_entropy": 1.584962500721156,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "epmd",
"app_proto": "epmd",
"asn": 398722,
"country": "US",
"dst_port": 4369,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 8,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "0db9abb3440dca14c19e8a9f3796f5b386f3e8e3",
"event_fingerprint": "5dd21f1dc188661a437472eaf9fc5811bcc1a829",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 8
},
"service_name": "epmd",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "76fae3c085bb43bf34b254b13bd8d00d",
"path_pattern_hash": "511947b0ac3d443a8f5be5198eff616c"
},
"target_context": {
"dst_port": 4369,
"service": "epmd",
"service_name": "epmd",
"risk_score": 8
},
"payload_preview": "\u0000\u0001n",
"request_sample": "\u0000\u0001n",
"payload_snippet": "\u0000\u0001n",
"evidence": {
"request_sample": "\u0000\u0001n",
"payload_snippet": "\u0000\u0001n",
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "559c3d5270361df399d08cf6f4c93bb6f6e23c67",
"protocol_details": {
"payload_preview": "\u0000\u0001n",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"evidence_snippet": "n",
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab epmd \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 8,
"risk_label": "Faible",
"service_name": "epmd",
"service_label_fr": "EPMD",
"dst_port": 4369,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-epmd",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0001n",
"port": 4369,
"service": "epmd",
"service_label_fr": "EPMD"
},
"attack_vector": "epmd \u00b7 via EPMD:4369 \u00b7 (sonde \/ probe)",
"evidence_snippet": "n",
"target_port_label": "4369 \u00b7 EPMD",
"emulator_service": "epmd",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "epmd",
"service_banner": "honeypot-epmd",
"service_os": "linux",
"dst_port": "4369"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "profinet",
"app_proto": "profinet",
"asn": 398722,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4961decd6327f18de006698db9ac6383131d39f8",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0"
},
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "28351607539d1dcbd4e9c8b52d77b84b94278af1",
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated"
]
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "profinet",
"app_proto": "profinet",
"asn": 398722,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4961decd6327f18de006698db9ac6383131d39f8",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0"
},
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "28351607539d1dcbd4e9c8b52d77b84b94278af1",
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated"
]
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Service
PROFINET
Payload
��������������Il6m�J�B��}x���k����5�����b�� �}��f����;���?~G�1F]���6��!9M�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������Il6m�J�B��}x���k����5�����b�� �}��f����;���?~G�1F]���6��!9M�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
��������������Il6m�J�B��}x���k����5�����b�� �}��f����;���?~G�1F]���6��!9M�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ȃ-7s���}����W��Ή�$�sOy�H��οnk
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"bytes_in": 243,
"payload_entropy": 5.83789765307766,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "profinet",
"app_proto": "profinet",
"asn": 398722,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "9982bb04a9bbc85771f01ba9f7e7b040cd8b8966",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "008dee199989a53689c178aa83169d3d",
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\u0011\ufffdk\ufffd\ufffd\u001e\ufffd5\ufffd\ufffd\u0016\u001f\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\u000e\ufffd\ufffd;\ufffd\u0004\ufffd?~G\u000f1F]\u000f\u00ad\u001e\ufffd6\u001e\ufffd!9M\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\u0011\ufffdk\ufffd\ufffd\u001e\ufffd5\ufffd\ufffd\u0016\u001f\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\u000e\ufffd\ufffd;\ufffd\u0004\ufffd?~G\u000f1F]\u000f\u00ad\u001e\ufffd6\u001e\ufffd!9M\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0203-7s\ufffd\ufffd\ufffd}\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd\u0389\ufffd$\ufffdsOy\ufffdH\ufffd\ufffd\u03bfnk",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\u0011\ufffdk\ufffd\ufffd\u001e\ufffd5\ufffd\ufffd\u0016\u001f\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\u000e\ufffd\ufffd;\ufffd\u0004\ufffd?~G\u000f1F]\u000f\u00ad\u001e\ufffd6\u001e\ufffd!9M\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5ddfe70e81fe763e34e4b1dc6c44627d489cdb12",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\u0011\ufffdk\ufffd\ufffd\u001e\ufffd5\ufffd\ufffd\u0016\u001f\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\u000e\ufffd\ufffd;\ufffd\u0004\ufffd?~G\u000f1F]\u000f\u00ad\u001e\ufffd6\u001e\ufffd!9M\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\ufffdk\ufffd\ufffd\ufffd5\ufffd\ufffd\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\ufffd\ufffd;\ufffd\ufffd?~G1F]\u00ad\ufffd6\ufffd!9M&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\u0011\ufffdk\ufffd\ufffd\u001e\ufffd5\ufffd\ufffd\u0016\u001f\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\u000e\ufffd\ufffd;\ufffd\u0004\ufffd?~G\u000f1F]\u000f\u00ad\u001e\ufffd6\u001e\ufffd!9M\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdIl6m\ufffdJ\ufffdB\ufffd\ufffd}x\ufffd\ufffdk\ufffd\ufffd\ufffd5\ufffd\ufffd\ufffdb\ufffd\ufffd \ufffd}\ufffd\ufffdf\ufffd\ufffd\ufffd;\ufffd\ufffd?~G1F]\u00ad\ufffd6\ufffd!9M&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated",
"tls_clienthello"
]
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "profinet",
"app_proto": "profinet",
"asn": 398722,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4961decd6327f18de006698db9ac6383131d39f8",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0"
},
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "28351607539d1dcbd4e9c8b52d77b84b94278af1",
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated"
]
}
|
|
|
TCP |
789 · PROFINET
|
profinet
|
profinet probe
profinet probe · via PROFINET:789 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
PROFINET
WAF
—
Recommandation
Surveiller
Tags
net_profinet_probe
profinet_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
789
Chemin / cible
—
Service
PROFINET
Payload
���*��
Pourquoi cette classification : Type « profinet_probe » (signaux protocolaires) · confiance 79%
Confiance classification
79%
Risque capteur
Faible
· 33
Confiance : Confiance 79 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Ot Profinet Dcp Get
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "feff02050000000000000000",
"emulator_response_len": 12,
"bytes_in": 6,
"payload_entropy": 2.2516291673878226,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "profinet",
"app_proto": "profinet",
"asn": 398722,
"country": "US",
"dst_port": 789,
"risk_waf": 8,
"risk_classification": 58,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4961decd6327f18de006698db9ac6383131d39f8",
"event_fingerprint": "239045c8df466e0c943197e99d0bbe609ca22afe",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"confidence": 0.79,
"classification_confidence": 0.79,
"precision_score": 89,
"precision_signals": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"kb_rule_ids": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"matched_patterns": [
"pat-0554"
],
"matched_pattern_names": [
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "profinet",
"risk_confidence_factor": 79,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f87681029f21c94d72d5b48b6b88bd15",
"path_pattern_hash": "91a3874ab1b56c7604b2303ecb7824d0"
},
"target_context": {
"dst_port": 789,
"service": "profinet",
"service_name": "profinet",
"risk_score": 33
},
"payload_preview": "\u0000\u0004\b*\u0010\u0000",
"request_sample": "\u0000\u0004\b*\u0010\u0000",
"payload_snippet": "\u0000\u0004\b*\u0010\u0000",
"evidence": {
"request_sample": "\u0000\u0004\b*\u0010\u0000",
"payload_snippet": "\u0000\u0004\b*\u0010\u0000",
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"ics_probe"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e61c64808f65d44576e09ab615e2417ae15f7b6",
"protocol_details": {
"payload_preview": "\u0000\u0004\b*\u0010\u0000",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"evidence_snippet": "*",
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"classification_reason_label_fr": "Type \u00ab profinet_probe \u00bb (signaux protocolaires) \u00b7 confiance 79%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 58,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "profinet",
"service_label_fr": "PROFINET",
"dst_port": 789,
"protocol_emulated": true,
"tags_summary": [
"INT-OT-profinet-dcp-get",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Ot Profinet Dcp Get",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-profinet",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u0004\b*\u0010\u0000",
"port": 789,
"service": "profinet",
"service_label_fr": "PROFINET"
},
"attack_vector": "profinet probe \u00b7 via PROFINET:789 \u00b7 (sonde \/ probe)",
"evidence_snippet": "*",
"target_port_label": "789 \u00b7 PROFINET",
"emulator_service": "profinet",
"confidence_reason": "Confiance 79 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "profinet",
"service_banner": "honeypot-profinet",
"service_os": "linux",
"dst_port": "789"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_profinet_probe",
"profinet_emulated"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
net_openvpn_probe
openvpn_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 50,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "2efe01a5352b8e3c11273a98def287670150d7d7",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da"
},
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "673aa6f225634bd5a0bfd67665f9a5b8c31811df",
"protocol_details": {
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"net_openvpn_probe",
"openvpn_emulated"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
net_openvpn_probe
openvpn_emulated
tls_clienthello
wireguard_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Service
OPENVPN
Payload
��������������ڲ����<=u�H��.��^� �.8��}�һ} ����� lry�gメ��|�u��<�_��c���C��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������ڲ����<=u�H��.��^� �.8��}�һ} �����
lry�gメ��|�u��<�_��c���C��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
��������������ڲ����<=u�H��.��^� �.8��}�һ} ����� lry�gメ��|�u��<�_��c���C��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �����OKb�0���OD����5����C��3�yV
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"bytes_in": 243,
"payload_entropy": 5.8128443129745095,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 50,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b231c69b279cda1b522242a58f7dc959ad14f887",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7c1990c5a973b2beb792383d1ce7bad8",
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u0005\u06b2\ufffd\ufffd\ufffd\ufffd<=u\bH\ufffd\ufffd.\ufffd\u0011^\u0010 \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \u0014\ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|\u0006u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u0005\u06b2\ufffd\ufffd\ufffd\ufffd<=u\bH\ufffd\ufffd.\ufffd\u0011^\u0010 \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \u0014\ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|\u0006u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0005\ufffd\ufffd\ufffdOKb\ufffd0\ufffd\ufffd\ufffdOD\ufffd\ufffd\ufffd\ufffd5\ufffd\ufffd\ufffd\u0004C\u001a\ufffd3\u0005yV",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u0005\u06b2\ufffd\ufffd\ufffd\ufffd<=u\bH\ufffd\ufffd.\ufffd\u0011^\u0010 \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \u0014\ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|\u0006u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "529dff5b16b827491daa0088f0b85bc37e24b38d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u0005\u06b2\ufffd\ufffd\ufffd\ufffd<=u\bH\ufffd\ufffd.\ufffd\u0011^\u0010 \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \u0014\ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|\u0006u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u06b2\ufffd\ufffd\ufffd\ufffd<=uH\ufffd\ufffd.\ufffd^ \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u0005\u06b2\ufffd\ufffd\ufffd\ufffd<=u\bH\ufffd\ufffd.\ufffd\u0011^\u0010 \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \u0014\ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|\u0006u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u06b2\ufffd\ufffd\ufffd\ufffd<=uH\ufffd\ufffd.\ufffd^ \ufffd.8\ufffd\ufffd}\ufffd\u04bb} \ufffd\ufffd\ufffd\ufffd\nlry\ufffdg\uff92\ufffd\ufffd|u\ufffd\ufffd<\ufffd_\ufffd\ufffdc\ufffd\ufffd\ufffdC\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_openvpn_probe",
"openvpn_emulated",
"tls_clienthello",
"wireguard_probe"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
net_openvpn_probe
openvpn_emulated
wireguard_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Service
OPENVPN
Payload
GET / HTTP/1.1 Host: 62.3.50.33:1194
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1194
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"bytes_in": 41,
"payload_entropy": 4.241102309232295,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0
},
"risk_score": 50,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "59989bacc8cbbb6ba6c6788c6985e939c3024820",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5ec9f2a160a2266d6cd858961a5ad6a0",
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da"
},
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "765c1461e13ea7c67bf1b72e36cf0623098e26cb",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1194",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"net_openvpn_probe",
"openvpn_emulated",
"wireguard_probe"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
net_openvpn_probe
openvpn_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 50,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "2efe01a5352b8e3c11273a98def287670150d7d7",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da"
},
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "673aa6f225634bd5a0bfd67665f9a5b8c31811df",
"protocol_details": {
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"net_openvpn_probe",
"openvpn_emulated"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
net_openvpn_probe
openvpn_emulated
wireguard_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Service
OPENVPN
Payload
���9�7���÷�����
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mumble ping
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
��9�7���÷
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"bytes_in": 16,
"payload_entropy": 3.0306390622295662,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 50,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "a68283091efaa6f80eb430c2fb90b8417f4a1a6b",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"matched_patterns": [
"pat-0768",
"pat-0554"
],
"matched_pattern_names": [
"Mumble ping",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0768",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e8afc0ebea40fa9e6f5622ce78099419",
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da"
},
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"payload_preview": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "635100b52a24407b7280bfa74c5f2cacddd2a75a",
"protocol_details": {
"payload_preview": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"evidence_snippet": "9\ufffd7\ufffd\ufffd\u00f7",
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u000e\b9\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": "9\ufffd7\ufffd\ufffd\u00f7",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_openvpn_probe",
"openvpn_emulated",
"wireguard_probe"
]
}
|
|
|
TCP |
1194 · OPENVPN
|
openvpn
|
openvpn probe
openvpn probe · via OPENVPN:1194 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
OPENVPN
WAF
—
Recommandation
Investiguer
Tags
net_openvpn_probe
openvpn_emulated
wireguard_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1194
Chemin / cible
—
Service
OPENVPN
Payload
��89�7���÷�����
Pourquoi cette classification : Type « openvpn_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
Openvpn Pkt
Vpn Openvpn Pkt
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Mumble ping
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
�89�7���÷
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000000000000",
"emulator_response_len": 9,
"bytes_in": 16,
"payload_entropy": 3.0306390622295662,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "openvpn",
"app_proto": "openvpn",
"asn": 398722,
"country": "US",
"dst_port": 1194,
"risk_waf": 8,
"risk_classification": 46,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 50,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "a68283091efaa6f80eb430c2fb90b8417f4a1a6b",
"event_fingerprint": "3a7ecaf9104d633c1b2b6cfa11ec7d30d1b69370",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 131,
"precision_signals": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"kb_rule_ids": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"matched_patterns": [
"pat-0768",
"pat-0554"
],
"matched_pattern_names": [
"Mumble ping",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0768",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "openvpn",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "52a141abf8eca2eb5ecdc56a59260624",
"path_pattern_hash": "6c07e36460e62c833d0e82829ad833da"
},
"target_context": {
"dst_port": 1194,
"service": "openvpn",
"service_name": "openvpn",
"risk_score": 50
},
"payload_preview": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "224c035bcb1fa74601bec9d0c84c0e5bbbc73baf",
"protocol_details": {
"payload_preview": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"evidence_snippet": "89\ufffd7\ufffd\ufffd\u00f7",
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab openvpn_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OPENVPN",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 46,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "openvpn",
"service_label_fr": "OPENVPN",
"dst_port": 1194,
"protocol_emulated": true,
"tags_summary": [
"INT-openvpn_pkt",
"INT-VPN-openvpn-pkt",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Openvpn Pkt",
"Vpn Openvpn Pkt",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-openvpn",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0000\u000e89\ufffd7\ufffd\u001a\ufffd\u00f7\u0000\u0000\u0000\u0000\u0000",
"port": 1194,
"service": "openvpn",
"service_label_fr": "OPENVPN"
},
"attack_vector": "openvpn probe \u00b7 via OPENVPN:1194 \u00b7 (sonde \/ probe)",
"evidence_snippet": "89\ufffd7\ufffd\ufffd\u00f7",
"target_port_label": "1194 \u00b7 OPENVPN",
"emulator_service": "openvpn",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "openvpn",
"service_banner": "honeypot-openvpn",
"service_os": "linux",
"dst_port": "1194"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_openvpn_probe",
"openvpn_emulated",
"wireguard_probe"
]
}
|