{"ip":"199.45.155.101","exported_at":"2026-06-21T04:34:37+00:00","period_days":30,"metrics":{"events7d":22,"distinct_ports":3,"distinct_classifications":9,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":30,"max_risk_score":100,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["game_server_scan"],"recommended_action":"monitor","confidence":0,"risk_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":0,"protocol":30,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":33,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 34\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":48,"behavior":0,"geo":0,"protocol":30,"novelty":0,"risk_score":34},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":0,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":"minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)","protocol_details":{"port":25565,"service":"minecraft","service_label_fr":"MINECRAFT"},"protocol_summary_fr":"MINECRAFT:25565","evidence_snippet":null,"target_port_label":"25565 \u00b7 MINECRAFT","emulator_service":"minecraft","confidence_reason":"Confiance 0 % \u2014 2 signal(aux) capteur","classification_reason":"Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","classification_reason_label_fr":"Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%","confidence_factors_fr":null,"payload_preview":null},"events":[{"id":9794334,"ip":"199.45.155.101","ts":"2026-06-20 23:50:26.000000","proto":"tcp","src_port":32922,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228be6ef7fabefbad597e63a337cf1c4019124c274\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255afc9b76587badf8c508a5256929b87db282372\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9794325,"ip":"199.45.155.101","ts":"2026-06-20 23:50:20.000000","proto":"tcp","src_port":32830,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022bytes_in\u0022: 2, \u0022payload_entropy\u0022: 1.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220e6668b1b6d7978d30ff719e7065e179eb722676\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224b24f4cca7e61459da3fb7bee3042b66\u0022, \u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa8bd1decd11f941972256ca9729511d6f441c4e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022minecraft_status_ping\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022minecraft_status_ping\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":2},{"id":9794322,"ip":"199.45.155.101","ts":"2026-06-20 23:50:19.000000","proto":"tcp","src_port":32828,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.646439344671015, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228be6ef7fabefbad597e63a337cf1c4019124c274\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002201298a1ba3d91ca5d4a28cdbc75038e7\u0022, \u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224178fe7dbd5af13b500ca2ba4ac509230fac1527\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\\n62.3.50.33c\ufffd\u0022, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\\n62.3.50.33c\ufffd\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":20},{"id":9794320,"ip":"199.45.155.101","ts":"2026-06-20 23:50:11.000000","proto":"tcp","src_port":50708,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228be6ef7fabefbad597e63a337cf1c4019124c274\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255afc9b76587badf8c508a5256929b87db282372\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9794316,"ip":"199.45.155.101","ts":"2026-06-20 23:50:03.000000","proto":"tcp","src_port":36814,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228be6ef7fabefbad597e63a337cf1c4019124c274\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255afc9b76587badf8c508a5256929b87db282372\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":0},{"id":9794309,"ip":"199.45.155.101","ts":"2026-06-20 23:49:55.000000","proto":"tcp","src_port":38516,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 3.646439344671015, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228be6ef7fabefbad597e63a337cf1c4019124c274\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 75, \u0022precision_signals\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 67.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002201298a1ba3d91ca5d4a28cdbc75038e7\u0022, \u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224178fe7dbd5af13b500ca2ba4ac509230fac1527\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\\n62.3.50.33c\ufffd\u0022, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0011\\u0000\ufffd\\u0005\\n62.3.50.33c\ufffd\\u0001\\u0001\\u0000\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\\n62.3.50.33c\ufffd\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 67 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":20},{"id":9794310,"ip":"199.45.155.101","ts":"2026-06-20 23:49:55.000000","proto":"tcp","src_port":38518,"dst_port":25565,"service":"minecraft","classification":"minecraft_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022ff787b2276657273696f6e223a7b226e616d65223a22312e32302e34222c2270726f746f636f6c223a3736357d2c22706c6179657273223a7b226d6178223a32302c226f6e6c696e65223a337d2c226465736372697074696f6e223a7b2274657874223a22486f6e6579706f74204d696e656372616674227d7d\u0022, \u0022emulator_response_len\u0022: 122, \u0022bytes_in\u0022: 2, \u0022payload_entropy\u0022: 1.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022minecraft\u0022, \u0022app_proto\u0022: \u0022minecraft\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 25565, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220e6668b1b6d7978d30ff719e7065e179eb722676\u0022, \u0022event_fingerprint\u0022: \u0022693ecbb9a1e86d78b2b00f4d400ad992bafdc5d5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224b24f4cca7e61459da3fb7bee3042b66\u0022, \u0022path_pattern_hash\u0022: \u0022796c509ff0514fcb64ff9e5a1c4b51db\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022risk_score\u0022: 34}, \u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022game_server_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fa8bd1decd11f941972256ca9729511d6f441c4e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab minecraft_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022, \u0022dst_port\u0022: 25565, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 25565, \u0022service\u0022: \u0022minecraft\u0022, \u0022service_label_fr\u0022: \u0022MINECRAFT\u0022}, \u0022attack_vector\u0022: \u0022minecraft probe \u00b7 via MINECRAFT:25565 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002225565 \u00b7 MINECRAFT\u0022, \u0022emulator_service\u0022: \u0022minecraft\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022minecraft\u0022, \u0022service_banner\u0022: \u0022honeypot-minecraft\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225565\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022minecraft_emulated\u0022, \u0022minecraft_status_ping\u0022, \u0022net_minecraft_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022minecraft_emulated\u0022, \u0022minecraft_status_ping\u0022, \u0022net_minecraft_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":2},{"id":9401503,"ip":"199.45.155.101","ts":"2026-06-16 16:11:19.000000","proto":"tcp","src_port":35222,"dst_port":2628,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/login","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u00227bfe5d2aede5ff05f1a5927f4b6c6eb42899b7bd\u0022, \u0022http_target_hash\u0022: \u0022c42c80aa06113268fddf90dfdc871fb7318ff5cf\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 166, \u0022payload_entropy\u0022: 5.184166350219092, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 67.5, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022899b04d0adfbc2ed8682e9277c89d92b7a0026d6\u0022, \u0022event_fingerprint\u0022: \u00224c2927a61d943d91f8fd48f0ef75c2b83a855364\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.67, \u0022classification_confidence\u0022: 0.67, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u002231cdb4c9bff282a922fb1b1d0b7acfc6\u0022, \u0022path_pattern_hash\u0022: \u00227e93fba0bc7adda858a2500090e639e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 48}, \u0022payload_preview\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228d56c3424e814b94d0bb7de74e24d804b1d7574d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/login\u0022, \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:2628 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (3 protocoles \u00b7 5 min)\u0022, \u0022confidence_pct\u0022: 67, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 48, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 48, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/login\u0022, \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:2628 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login\u0022, \u0022evidence_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 67 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2628","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":166},{"id":9401500,"ip":"199.45.155.101","ts":"2026-06-16 16:11:18.000000","proto":"tcp","src_port":33772,"dst_port":2628,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.955362561722447, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c7d25ccfe79d9718f73ee71b338f52b0effb141b\u0022, \u0022event_fingerprint\u0022: \u00227648898212ff4892088a41f0beba9de0ab3b13d2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00222b275d5853346f8d0604ed9c9ac19239\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffd\\u0011w\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\\u000e\\u0013\ufffda\ufffdsS\ufffd\\u001ft~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffd\\u0011w\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\\u000e\\u0013\ufffda\ufffdsS\ufffd\\u001ft~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 h\ufffd\\u000f\ufffd\ufffd\\t\ufffdt\u036c\ufffd%\ufffdGw~W\ufffdk\ufffdr\ufffd\ufffde\ufffdx\ufffdE\ufffdd|\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffd\\u0011w\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\\u000e\\u0013\ufffda\ufffdsS\ufffd\\u001ft~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ba2e3c7d8194ce89e19a7108e719b1c7c7104f2b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffd\\u0011w\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\\u000e\\u0013\ufffda\ufffdsS\ufffd\\u001ft~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffdw\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\ufffda\ufffdsS\ufffdt~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffd\\u0011w\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\\u000e\\u0013\ufffda\ufffdsS\ufffd\\u001ft~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd@\ufffd\ufffd\\ru\ufffd\ufffd#\u01b9opJ\ufffd\ufffd\ufffdw\u003E*^\ufffd\ufffd\ufffd]\ufffdT\ufffd\ufffdR4\ufffd J\ufffda\ufffdsS\ufffdt~\ufffd\ufffd^m\ufffd\ufffde\ufffd\ufffdA\ufffd\u05af\ufffd \ufffd\ufffdQ\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9401495,"ip":"199.45.155.101","ts":"2026-06-16 16:11:14.000000","proto":"tcp","src_port":33742,"dst_port":2628,"service":"http","classification":"http","waf_score":0,"waf_tags":"[]","http_method":"PRI","http_target":"*","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022df58248c414f342c81e056b40bee12d17a08bf61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022PRI\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 24, \u0022payload_entropy\u0022: 3.66829583405449, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 8.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4a6a05d221c4b78756faca159c7247394dd94c2\u0022, \u0022event_fingerprint\u0022: \u00222ba34f83a0d4253f253fafdfdfce2fbb4a1dfd1b\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bd71964d35f553a9e1d0cddcb5864e08\u0022, \u0022path_pattern_hash\u0022: \u0022684888c0ebb17f374298b65ee2807526\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.65, \u0022classification_confidence\u0022: 0.65, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221d7bcb1351b89fa5bacaefc2ce4811b036ba7976\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 58 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http \u00bb (signaux protocolaires) \u00b7 confiance 58%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 65, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 58 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 65 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022]","anomalies":"[]","severity":1,"bytes_in":24},{"id":9401490,"ip":"199.45.155.101","ts":"2026-06-16 16:11:13.000000","proto":"tcp","src_port":33728,"dst_port":2628,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.839659360483297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c7d25ccfe79d9718f73ee71b338f52b0effb141b\u0022, \u0022event_fingerprint\u0022: \u00227648898212ff4892088a41f0beba9de0ab3b13d2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00223773df162db04f8d51802ddad93c0708\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby \\u0018u\ufffd\ufffd 0Qq\ufffd`\u07f0\\u0007N\ufffdx\\u0014Y\ufffd\\u0019\ufffd\\u0019\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby \\u0018u\ufffd\ufffd 0Qq\ufffd`\u07f0\\u0007N\ufffdx\\u0014Y\ufffd\\u0019\ufffd\\u0019\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\\bz\\u0012\\u0004\ufffd\ufffd\ufffd\ufffd+\ufffd\\u001d\ufffd\ufffd\ufffd\ufffd\u073a\u00276\ufffd\ufffd4x%\ufffdZ)w\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby \\u0018u\ufffd\ufffd 0Qq\ufffd`\u07f0\\u0007N\ufffdx\\u0014Y\ufffd\\u0019\ufffd\\u0019\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229a73b0f476eb3fc620f485ca0cdf2005e707e89e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby \\u0018u\ufffd\ufffd 0Qq\ufffd`\u07f0\\u0007N\ufffdx\\u0014Y\ufffd\\u0019\ufffd\\u0019\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby u\ufffd\ufffd 0Qq\ufffd`\u07f0N\ufffdxY\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby \\u0018u\ufffd\ufffd 0Qq\ufffd`\u07f0\\u0007N\ufffdx\\u0014Y\ufffd\\u0019\ufffd\\u0019\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\\\u0022\ufffd\ufffd|\ufffd\ufffdH\ufffd\ufffd\ufffdIV\ufffd\ufffd\\t\ufffdG\ufffd9\ufffd\ufffd\ufffd\ufffdby u\ufffd\ufffd 0Qq\ufffd`\u07f0N\ufffdxY\ufffd\ufffd\ufffd\ufffd\ufffd\u0026\ufffd\u0666\ufffd*\ufffd\u0186\ufffd^l\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9401493,"ip":"199.45.155.101","ts":"2026-06-16 16:11:13.000000","proto":"tcp","src_port":33734,"dst_port":2628,"service":"http","classification":"web_scanner","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u00227bfe5d2aede5ff05f1a5927f4b6c6eb42899b7bd\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 161, \u0022payload_entropy\u0022: 5.187990461707756, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 75.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002211f7a7aa9545e271edda76279b47657c2381104d\u0022, \u0022event_fingerprint\u0022: \u00220d1135b64349cfeb5f47888369495fb0c561b2a2\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 145, \u0022precision_signals\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u00226d40f289eefdd0aff796f8ebe1f2b4b3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ba699e48a3bd7b8e431d7594798788873359608\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Censys\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2628","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":161},{"id":9401457,"ip":"199.45.155.101","ts":"2026-06-16 16:11:09.000000","proto":"tcp","src_port":33690,"dst_port":2628,"service":"http","classification":"web_probe","waf_score":8,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00227bfe5d2aede5ff05f1a5927f4b6c6eb42899b7bd\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 154, \u0022payload_entropy\u0022: 5.244358108389756, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 40.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a2a5e81053f519b7c8aa3e51865c07b0d3a3df9b\u0022, \u0022event_fingerprint\u0022: \u00228f6c48fdf737eddb0a90473d44bb51d3c7b8bd96\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c5b58f4206f90aa967d064561c9616c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version:\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022}, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.82, \u0022classification_confidence\u0022: 0.82, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e84dce4740f35ae730754d23360edaa4ef9b8b0e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version:\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 82, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: OHisqD3ww8KwuSiTHaWYwA==\\r\\nSec-WebSocket-Version:\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 82 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2628","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":154},{"id":9401341,"ip":"199.45.155.101","ts":"2026-06-16 16:11:05.000000","proto":"tcp","src_port":45684,"dst_port":2628,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.8237816215947245, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c7d25ccfe79d9718f73ee71b338f52b0effb141b\u0022, \u0022event_fingerprint\u0022: \u00227648898212ff4892088a41f0beba9de0ab3b13d2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022eed5f3504a19881a11e51e396f92d670\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\\u0015\/ @\ufffds0\ufffd\\u0013\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\\u0011\ufffd\ufffd\\u0006\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\\u0015\/ @\ufffds0\ufffd\\u0013\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\\u0011\ufffd\ufffd\\u0006\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\u0108\ufffdER\u06e5;b\ufffdj\ufffdq\ufffd\\u001e7\ufffd\ufffdH\ufffds\\n\ufffdOB\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\\u0015\/ @\ufffds0\ufffd\\u0013\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\\u0011\ufffd\ufffd\\u0006\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b7b77fe81356b8dbc14752d936dd3c688a7ba69\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\\u0015\/ @\ufffds0\ufffd\\u0013\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\\u0011\ufffd\ufffd\\u0006\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\/ @\ufffds0\ufffd\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\\u0015\/ @\ufffds0\ufffd\\u0013\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\\u0011\ufffd\ufffd\\u0006\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd_750\ufffdQ\ufffd\ufffdsg\ufffdZ\u0668`\ufffd\ufffd\ufffd!\ufffd\ufffdH\ufffd:*u%\ufffd\ufffd\/ @\ufffds0\ufffd\ufffd\ufffd?R%\ufffd\ufffd\ufffd\ufffd\ufffdku\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\ufffd\ufffd:\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:2628\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":9401331,"ip":"199.45.155.101","ts":"2026-06-16 16:11:02.000000","proto":"tcp","src_port":45660,"dst_port":2628,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dbb1b8b593bacf7fca056d3279d559d9caeae472\u0022, \u0022event_fingerprint\u0022: \u0022199529e615ae7af565fecf27923bf4dac7bda4e9\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292a4c9e491dc1dc9211c5036212a8483a6085095\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 2628}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 2628}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00222628\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9401263,"ip":"199.45.155.101","ts":"2026-06-16 16:10:55.000000","proto":"tcp","src_port":38748,"dst_port":2628,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dbb1b8b593bacf7fca056d3279d559d9caeae472\u0022, \u0022event_fingerprint\u0022: \u0022199529e615ae7af565fecf27923bf4dac7bda4e9\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292a4c9e491dc1dc9211c5036212a8483a6085095\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 2628}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 2628 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00222628\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 2628}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 2628 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00222628\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9379886,"ip":"199.45.155.101","ts":"2026-06-16 11:27:53.000000","proto":"tcp","src_port":50504,"dst_port":631,"service":"ipp","classification":"ipp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d71f3907be7ed0f46f8494fbd62bda27aff2fd9e\u0022, \u0022event_fingerprint\u0022: \u00220ff2363c0156fd28c9def3540d5e442f36179298\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022705e09bea990ea8643df74d79aabe770\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022befe6ed60c0374f3a612d277f1b24d12a7ac10d7\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9379875,"ip":"199.45.155.101","ts":"2026-06-16 11:27:47.000000","proto":"tcp","src_port":39916,"dst_port":631,"service":"ipp","classification":"ipp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 40, \u0022payload_entropy\u0022: 4.127567157116928, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002269011159e0850c89ecd5e31c9df17e4ceadefd69\u0022, \u0022event_fingerprint\u0022: \u00220ff2363c0156fd28c9def3540d5e442f36179298\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220698803d8ea33d9c62c8c90fa9fb6117\u0022, \u0022path_pattern_hash\u0022: \u0022705e09bea990ea8643df74d79aabe770\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002210e7e26ce7e141366ce15b814e48ceeeeede9964\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:631\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022]","anomalies":"[]","severity":2,"bytes_in":40},{"id":9379871,"ip":"199.45.155.101","ts":"2026-06-16 11:27:46.000000","proto":"tcp","src_port":39904,"dst_port":631,"service":"ipp","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.828104001397652, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225f5bfee723539ed7c20966ca769533d6c50e2e19\u0022, \u0022event_fingerprint\u0022: \u00220ff2363c0156fd28c9def3540d5e442f36179298\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228a620c2018bf11d8de88c6c526a8f2ac\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001f\ufffd?\ufffd;NE\ufffd\\u0005f\ufffd\\u0011\\n1C\u1419J\ufffd\ufffd\\u0003\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b\\u0010 \ufffd\\u0012l\ufffd-\\f\\u000e\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd\\u0017#\ufffd9\u059b\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001f\ufffd?\ufffd;NE\ufffd\\u0005f\ufffd\\u0011\\n1C\u1419J\ufffd\ufffd\\u0003\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b\\u0010 \ufffd\\u0012l\ufffd-\\f\\u000e\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd\\u0017#\ufffd9\u059b\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 CNP\ufffd\\u0006=\ufffd\ufffd\ufffd\u0229#\ufffd\\u0004\\u001f\ufffd\\b\ufffd\ufffd\\u0019\\be4:\ufffd\ufffd\\u0001\\b%f\ufffdV\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001f\ufffd?\ufffd;NE\ufffd\\u0005f\ufffd\\u0011\\n1C\u1419J\ufffd\ufffd\\u0003\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b\\u0010 \ufffd\\u0012l\ufffd-\\f\\u000e\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd\\u0017#\ufffd9\u059b\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fbcfc76813599f4b357bb6942833221338c9d67f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001f\ufffd?\ufffd;NE\ufffd\\u0005f\ufffd\\u0011\\n1C\u1419J\ufffd\ufffd\\u0003\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b\\u0010 \ufffd\\u0012l\ufffd-\\f\\u000e\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd\\u0017#\ufffd9\u059b\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd?\ufffd;NE\ufffdf\ufffd\\n1C\u1419J\ufffd\ufffd\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b \ufffdl\ufffd-\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd#\ufffd9\u059b\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u001f\ufffd?\ufffd;NE\ufffd\\u0005f\ufffd\\u0011\\n1C\u1419J\ufffd\ufffd\\u0003\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b\\u0010 \ufffd\\u0012l\ufffd-\\f\\u000e\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd\\u0017#\ufffd9\u059b\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd?\ufffd;NE\ufffdf\ufffd\\n1C\u1419J\ufffd\ufffd\ufffd1\ufffdq[@V\ufffd +G\ufffd\ufffd\u066b \ufffdl\ufffd-\ufffd\ufffd^\ufffd\ufffdRz\ufffd\ufffd\ufffd#\ufffd9\u059b\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":243},{"id":9379869,"ip":"199.45.155.101","ts":"2026-06-16 11:27:43.000000","proto":"tcp","src_port":39862,"dst_port":631,"service":"ipp","classification":"ipp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d71f3907be7ed0f46f8494fbd62bda27aff2fd9e\u0022, \u0022event_fingerprint\u0022: \u00220ff2363c0156fd28c9def3540d5e442f36179298\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022705e09bea990ea8643df74d79aabe770\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022befe6ed60c0374f3a612d277f1b24d12a7ac10d7\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab ipp \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022ipp \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9379860,"ip":"199.45.155.101","ts":"2026-06-16 11:27:39.000000","proto":"tcp","src_port":39802,"dst_port":631,"service":"ipp","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.9455256912468775, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225f5bfee723539ed7c20966ca769533d6c50e2e19\u0022, \u0022event_fingerprint\u0022: \u00220ff2363c0156fd28c9def3540d5e442f36179298\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d6e2bf92575ed3a2277062acdc8b2686\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\f$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\\u001a\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;\\u000b.@\\u0011\\u0012N\\f\ufffdI\\\u0022\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\f$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\\u001a\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;\\u000b.@\\u0011\\u0012N\\f\ufffdI\\\u0022\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u0018W\ufffd\\u000e\ufffdM[\ufffd\/N\ufffd8\ufffd\ufffdD\u0357\ufffd\\u0016,\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdHf\ufffd\ufffdDm\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\f$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\\u001a\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;\\u000b.@\\u0011\\u0012N\\f\ufffdI\\\u0022\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c9bdb97e7beffb6f749ff3c0e74e71b826b402f9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\f$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\\u001a\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;\\u000b.@\\u0011\\u0012N\\f\ufffdI\\\u0022\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;.@N\ufffdI\\\u0022\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\f$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\\u001a\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;\\u000b.@\\u0011\\u0012N\\f\ufffdI\\\u0022\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via IPP:631 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd$=\ufffdjf\ufffd+6d\u0791~\ufffd\\\u00226\ufffd\ufffd:10V\ufffd\ufffdqz\ufffdA\ufffdz \ufffd\u0027%g\ufffdJ\ufffd\ufffdFx`n\ufffd+\ufffdB\ufffdw#\ufffd;.@N\ufffdI\\\u0022\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_clienthello\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_clienthello\u0022]","anomalies":"[]","severity":3,"bytes_in":243},{"id":9379862,"ip":"199.45.155.101","ts":"2026-06-16 11:27:39.000000","proto":"tcp","src_port":39818,"dst_port":631,"service":"ipp","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f742069707020726561647920706f72743d3633310d0a\u0022, \u0022emulator_response_len\u0022: 33, \u0022bytes_in\u0022: 359, \u0022payload_entropy\u0022: 5.335751873609784, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022ipp\u0022, \u0022app_proto\u0022: \u0022ipp\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 631, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c915eb28a60b2299a9f6c12fd621db78ee325686\u0022, \u0022event_fingerprint\u0022: \u002210494905d166d137cdbac483efb99c42ee20ff9e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022, \u0022pat-0556\u0022, \u0022pat-0431\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022, \u0022Kafka ApiVersions key\u0022, \u0022UA censys\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022, \u0022pat-0556\u0022, \u0022pat-0431\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e98c47b4454c1d126a696092f5f77a76\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022request_sample\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nContent-Length: 143\\r\\nAccept: *\/*\\r\\nContent-Type: application\/ipp\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\\u0002\\u0001\\u0000\\u000b\\u0000\\u0000\\u0000\\u0001\\u0001G\\u0000\\u0012attributes-charset\\u0000\\u0005utf-8H\\u0000\\u001b\u0022, \u0022payload_snippet\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nContent-Length: 143\\r\\nAccept: *\/*\\r\\nContent-Type: application\/ipp\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\\u0002\\u0001\\u0000\\u000b\\u0000\\u0000\\u0000\\u0001\\u0001G\\u0000\\u0012attributes-charset\\u0000\\u0005utf-8H\\u0000\\u001b\u0022, \u0022payload_snippet\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002231499f8c8c5a3ea0eeffbe0495cd997eb7a38b9a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via IPP:631 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via IPP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022, \u0022dst_port\u0022: 631, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022port\u0022: 631, \u0022service\u0022: \u0022ipp\u0022, \u0022service_label_fr\u0022: \u0022IPP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via IPP:631 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ipp HTTP\/1.1\\r\\nHost: 62.3.50.33:631\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nCo\u0022, \u0022target_port_label\u0022: \u0022631 \u00b7 IPP\u0022, \u0022emulator_service\u0022: \u0022ipp\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ipp\u0022, \u0022service_banner\u0022: \u0022honeypot-ipp\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022631\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mozi_pattern\u0022, \u0022net_mozi_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":359},{"id":8540601,"ip":"199.45.155.101","ts":"2026-06-08 02:23:38.000000","proto":"tcp","src_port":38058,"dst_port":10002,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.820396588544959, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac72e4c41ae5ba0af08b5124820ee4357041729d\u0022, \u0022event_fingerprint\u0022: \u00227094fed778eec374ad644d7acabe0f7a8ba9c3fb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022e4c0ea6fc299edadfc83db1e6f4f453a\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdn\ufffd\ufffd\ufffdM\\u0002\ufffd\ufffd\\u0013\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\\u0017\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \\b\ufffdi\ufffd\\u0016\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdn\ufffd\ufffd\ufffdM\\u0002\ufffd\ufffd\\u0013\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\\u0017\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \\b\ufffdi\ufffd\\u0016\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd\ufffd\u07ab\ufffd\ufffdC\ufffdL\ufffdh+\\u0014\ufffd\ufffdJ6{\ufffd3\ufffd2\ufffd3\\u000e\ufffdHX\\u001ek\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdn\ufffd\ufffd\ufffdM\\u0002\ufffd\ufffd\\u0013\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\\u0017\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \\b\ufffdi\ufffd\\u0016\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c5a73acb7c7145800ca68825e713cde2170ec98\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdn\ufffd\ufffd\ufffdM\\u0002\ufffd\ufffd\\u0013\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\\u0017\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \\b\ufffdi\ufffd\\u0016\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \ufffdi\ufffd\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdn\ufffd\ufffd\ufffdM\\u0002\ufffd\ufffd\\u0013\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\\u0017\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \\b\ufffdi\ufffd\\u0016\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffd\u03f4v:\ufffd\ufffd\ufffdJ\ufffd3(\ufffd\\r \ufffdi\ufffd\ufffdI\u07a5yX\ufffd\ufffd`nh\ufffd=\ufffd\u0026Q\ufffd\ufffdK\ufffd0\ufffdh\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8540602,"ip":"199.45.155.101","ts":"2026-06-08 02:23:38.000000","proto":"tcp","src_port":38062,"dst_port":10002,"service":"http","classification":"web_scanner","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/wiki","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u00225817925db6a96eeacba22edc14fd3e8b07993d86\u0022, \u0022http_target_hash\u0022: \u00226e19ef03648d0e0a22ed0f7ad0be4e265e7c7c3f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 166, \u0022payload_entropy\u0022: 5.197223826116918, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 67.5, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a48cc6ce726646b6e9d6a2ccb3ec40aea8d9248d\u0022, \u0022event_fingerprint\u0022: \u002262aee573e0a1e1d4bbcf27de8db0582a967a438d\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 145, \u0022precision_signals\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u0022432308c3d4901ac25778e2e3e880cfa0\u0022, \u0022path_pattern_hash\u0022: \u0022fdf33dfda1bc755bf3cc3020003e45ff\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wiki\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/wiki HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/wiki\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/wiki HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022318fb4083537c1db40345661cc73c0466bf8353a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wiki\u0022, \u0022request_line\u0022: \u0022GET \/wiki HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wiki\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Censys\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/wiki\u0022, \u0022request_line\u0022: \u0022GET \/wiki HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/wiki\u0022, \u0022evidence_snippet\u0022: \u0022GET \/wiki HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10002","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":166},{"id":8540592,"ip":"199.45.155.101","ts":"2026-06-08 02:23:34.000000","proto":"tcp","src_port":38040,"dst_port":10002,"service":"http","classification":"web_scanner","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u00225817925db6a96eeacba22edc14fd3e8b07993d86\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 162, \u0022payload_entropy\u0022: 5.1579021850561375, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 75.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e562de41f9b4b593a8e74a7bb00aba2b207cc6cc\u0022, \u0022event_fingerprint\u0022: \u00229114e8d4719906217e98370ac4f560f04d793845\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 145, \u0022precision_signals\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u00221ab95fb9b23dc645bafb219e0d6e5199\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAcce\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAcce\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAcce\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dd3c168cb2e1305772e873bfab152d3f07031e55\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAcce\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 47\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Censys\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAcce\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10002","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":162},{"id":8540593,"ip":"199.45.155.101","ts":"2026-06-08 02:23:34.000000","proto":"tcp","src_port":38042,"dst_port":10002,"service":"http","classification":"postgres_probe","waf_score":0,"waf_tags":"[]","http_method":"PRI","http_target":"*","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022df58248c414f342c81e056b40bee12d17a08bf61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022PRI\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 57, \u0022payload_entropy\u0022: 3.474882067394362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d22148e011e814d225906802aa4f9a7482651364\u0022, \u0022event_fingerprint\u0022: \u0022b04d325d12a6e2a24c457687f35a0c4d03268ef2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0369\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022PostgreSQL startup\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0369\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fe3435fc30fb19e768a81e744ede3fba\u0022, \u0022path_pattern_hash\u0022: \u0022684888c0ebb17f374298b65ee2807526\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022097c9ff865f47dbf60a3dd19603686eb2d3ada61\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\nBh\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\nBh\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022]","anomalies":"[]","severity":1,"bytes_in":57},{"id":8540591,"ip":"199.45.155.101","ts":"2026-06-08 02:23:33.000000","proto":"tcp","src_port":38024,"dst_port":10002,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.770309349390779, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac72e4c41ae5ba0af08b5124820ee4357041729d\u0022, \u0022event_fingerprint\u0022: \u00227094fed778eec374ad644d7acabe0f7a8ba9c3fb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00221bbfb21d7e8c858e98d754ae62223d0c\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN\ufffd[\u6332\u0027\\u0016\ufffd\ufffd6\\u001c\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffd\\bk\ufffdS\\u001dn\ufffdt6\ufffd\ufffd\ufffdsY\\u0000N\\u001a \\u001aL\u0687HJ\ufffd]\ufffdW\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN\ufffd[\u6332\u0027\\u0016\ufffd\ufffd6\\u001c\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffd\\bk\ufffdS\\u001dn\ufffdt6\ufffd\ufffd\ufffdsY\\u0000N\\u001a \\u001aL\u0687HJ\ufffd]\ufffdW\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 ^f\\u0006\ufffd3\ufffd\ufffd2\ufffd\ufffd\ufffd}\ufffdJo\ufffd\\u0016\ufffd\ufffd\ufffd\\u0019\ufffd7\\u00046a\\u0006\\u0006\\u000f\ufffd\\u0011\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN\ufffd[\u6332\u0027\\u0016\ufffd\ufffd6\\u001c\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffd\\bk\ufffdS\\u001dn\ufffdt6\ufffd\ufffd\ufffdsY\\u0000N\\u001a \\u001aL\u0687HJ\ufffd]\ufffdW\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221f73ca64f4870d452fe863cefd95557475495048\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN\ufffd[\u6332\u0027\\u0016\ufffd\ufffd6\\u001c\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffd\\bk\ufffdS\\u001dn\ufffdt6\ufffd\ufffd\ufffdsY\\u0000N\\u001a \\u001aL\u0687HJ\ufffd]\ufffdW\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdN\ufffd[\u6332\u0027\ufffd\ufffd6\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffdk\ufffdSn\ufffdt6\ufffd\ufffd\ufffdsYN L\u0687HJ\ufffd]\ufffdW\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN\ufffd[\u6332\u0027\\u0016\ufffd\ufffd6\\u001c\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffd\\bk\ufffdS\\u001dn\ufffdt6\ufffd\ufffd\ufffdsY\\u0000N\\u001a \\u001aL\u0687HJ\ufffd]\ufffdW\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdN\ufffd[\u6332\u0027\ufffd\ufffd6\ufffd\ufffd\ufffdX\ufffd\ufffd\/\ufffd\ufffdu\ufffd\ufffd;\ufffd0+\ufffd\ufffd NQ\ufffdk\ufffdSn\ufffdt6\ufffd\ufffd\ufffdsYN L\u0687HJ\ufffd]\ufffdW\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8540588,"ip":"199.45.155.101","ts":"2026-06-08 02:23:27.000000","proto":"tcp","src_port":47240,"dst_port":10002,"service":"http","classification":"http","waf_score":3,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u00225817925db6a96eeacba22edc14fd3e8b07993d86\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 42, \u0022payload_entropy\u0022: 4.14161920818398, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 20.0, \u0022risk_classification\u0022: 8.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224c2bacbcfd0ad277cac06b78e87640c72f08cf51\u0022, \u0022event_fingerprint\u0022: \u0022d4fcaac489997ffd7c070a3d7fe461b7f6503fc6\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022898df5276b4dae5a57eb819ad310413a\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%\u0022}, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002236f00c0ec60b4dfdb3a60c00acf1a181ee80dc44\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\u0022, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Tags WAF: sap-sapcontrol-path \u00b7 confiance 61%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 20.0, \u0022classification\u0022: 8.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http \u00b7 via HTTP:10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10002\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 61 % \u2014 Score WAF 20 \u00b7 1 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +8 \u00b7 1 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 3, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10002","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":1,"bytes_in":42},{"id":8540585,"ip":"199.45.155.101","ts":"2026-06-08 02:23:26.000000","proto":"tcp","src_port":47228,"dst_port":10002,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.857859152527511, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 4.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac72e4c41ae5ba0af08b5124820ee4357041729d\u0022, \u0022event_fingerprint\u0022: \u00227094fed778eec374ad644d7acabe0f7a8ba9c3fb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.57, \u0022classification_confidence\u0022: 0.57, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022c4ad5bfa893c93aa57d571c6ab60b0ce\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\\u0013\ufffdC\ufffd\\u0002n\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\\u0010\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd\\u0007\\u0002\\u0017#\\\u0022\ufffd\ufffd$l\\u001f\ufffd\ufffd\ua1d8\ufffd|\ufffdv\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\\u0013\ufffdC\ufffd\\u0002n\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\\u0010\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd\\u0007\\u0002\\u0017#\\\u0022\ufffd\ufffd$l\\u001f\ufffd\ufffd\ua1d8\ufffd|\ufffdv\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 H\ufffdr\u0670\ufffd\ufffd\ufffd\/\\u000bG\\b\ufffd\u03ccx\ufffd\ufffd=\ufffdA\ufffd]\\u0012\u003E?\ufffd\ufffd\ufffd\ufffd\\r\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\\u0013\ufffdC\ufffd\\u0002n\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\\u0010\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd\\u0007\\u0002\\u0017#\\\u0022\ufffd\ufffd$l\\u001f\ufffd\ufffd\ua1d8\ufffd|\ufffdv\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228f1a2a91a2fdb869b1d96c96b95a78a7bc5e921f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\\u0013\ufffdC\ufffd\\u0002n\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\\u0010\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd\\u0007\\u0002\\u0017#\\\u0022\ufffd\ufffd$l\\u001f\ufffd\ufffd\ua1d8\ufffd|\ufffdv\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\ufffdC\ufffdn\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd#\\\u0022\ufffd\ufffd$l\ufffd\ufffd\ua1d8\ufffd|\ufffdv\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 57, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\\u0013\ufffdC\ufffd\\u0002n\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\\u0010\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd\\u0007\\u0002\\u0017#\\\u0022\ufffd\ufffd$l\\u001f\ufffd\ufffd\ua1d8\ufffd|\ufffdv\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022port\u0022: 10002, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdKN\ufffd\u0026q\ufffdR9\ufffd\ufffd\ufffdD\ufffdC\ufffdn\ufffdK\ufffd4Fk#Q#\ufffd\ufffd\ufffd \ufffd{\ufffd\ufffd\ufffd\ufffdw\\\u0022=M\ufffd\ufffd#\\\u0022\ufffd\ufffd$l\ufffd\ufffd\ua1d8\ufffd|\ufffdv\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u002210002 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022port:10002\u0022, \u0022tls\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8540583,"ip":"199.45.155.101","ts":"2026-06-08 02:23:23.000000","proto":"tcp","src_port":47214,"dst_port":10002,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b94e0ea8ee51be35741e1626c845b9cdea13e184\u0022, \u0022event_fingerprint\u0022: \u0022c726313dbb81c0cd1c0fa49d58dc80929d9e3e42\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002293fb07c52ed068a11bdd7d914d9cab2a54f6309b\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 10002}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 10002}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002210002\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8540570,"ip":"199.45.155.101","ts":"2026-06-08 02:23:20.000000","proto":"tcp","src_port":47204,"dst_port":10002,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 8, \u0022payload_entropy\u0022: 2.4056390622295662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 10002, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b94e0ea8ee51be35741e1626c845b9cdea13e184\u0022, \u0022event_fingerprint\u0022: \u0022c726313dbb81c0cd1c0fa49d58dc80929d9e3e42\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239fea238df890c005706b34a9316349a\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10002, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022\\u0001I20100\\n\u0022, \u0022request_sample\u0022: \u0022\\u0001I20100\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001I20100\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001I20100\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001I20100\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002269d693f1ed9bb58f8d16b605188e7b9eb371cda4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001I20100\u0022, \u0022port\u0022: 10002}, \u0022evidence_snippet\u0022: \u0022I20100\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10002 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002210002\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 10002, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001I20100\u0022, \u0022port\u0022: 10002}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 10002 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022I20100\u0022, \u0022target_port_label\u0022: \u002210002\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210002\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":8},{"id":8508913,"ip":"199.45.155.101","ts":"2026-06-07 15:56:49.000000","proto":"tcp","src_port":57858,"dst_port":1963,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.8268179008570975, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022aec791e069ea8597c13e436b512e5a626e94c7a4\u0022, \u0022event_fingerprint\u0022: \u00227f6ca270d6562f05b62f0df1744b5d3d6371467e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022260e3bf39a620ef1f965b4606e2fad23\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN8\ufffd4.T\ufffdh\u0355\\u0004\ufffd\ufffda\\b\ufffd\\u0012\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\\b\\b\ufffd\u0479}G\u0558o\\u000bk\u1c3a\ufffdHB\ufffd\\u0003\\nJ\u003E\\u0005L7\ufffd\ufffdX\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN8\ufffd4.T\ufffdh\u0355\\u0004\ufffd\ufffda\\b\ufffd\\u0012\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\\b\\b\ufffd\u0479}G\u0558o\\u000bk\u1c3a\ufffdHB\ufffd\\u0003\\nJ\u003E\\u0005L7\ufffd\ufffdX\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd8\ufffd`\u003E\ufffd\u003Ey\ufffd\ufffd=\\u000b\ufffde\ufffdu\ufffd\ufffdi\\t\ufffdH\ufffd\ufffd\ufffd\u003C?v\ufffd.\ufffd\\u000e\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN8\ufffd4.T\ufffdh\u0355\\u0004\ufffd\ufffda\\b\ufffd\\u0012\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\\b\\b\ufffd\u0479}G\u0558o\\u000bk\u1c3a\ufffdHB\ufffd\\u0003\\nJ\u003E\\u0005L7\ufffd\ufffdX\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN8\ufffd4.T\ufffdh\u0355\\u0004\ufffd\ufffda\\b\ufffd\\u0012\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\\b\\b\ufffd\u0479}G\u0558o\\u000bk\u1c3a\ufffdHB\ufffd\\u0003\\nJ\u003E\\u0005L7\ufffd\ufffdX\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \ufffd8\ufffd`\u003E\ufffd\u003Ey\ufffd\ufffd=\\u000b\ufffde\ufffdu\ufffd\ufffdi\\t\ufffdH\ufffd\ufffd\ufffd\u003C?v\ufffd.\ufffd\\u000e\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdN8\ufffd4.T\ufffdh\u0355\\u0004\ufffd\ufffda\\b\ufffd\\u0012\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\\b\\b\ufffd\u0479}G\u0558o\\u000bk\u1c3a\ufffdHB\ufffd\\u0003\\nJ\u003E\\u0005L7\ufffd\ufffdX\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ac17bf83e644cd5be70cb426045037845b2628d4\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdN8\ufffd4.T\ufffdh\u0355\ufffd\ufffda\ufffd\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\ufffd\u0479}G\u0558ok\u1c3a\ufffdHB\ufffd\\nJ\u003EL7\ufffd\ufffdX\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdN8\ufffd4.T\ufffdh\u0355\ufffd\ufffda\ufffd\ufffd \ufffd\ufffdr:\\t^Na\ufffdq\ufffdV j\ufffd\u0479}G\u0558ok\u1c3a\ufffdHB\ufffd\\nJ\u003EL7\ufffd\ufffdX\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8508914,"ip":"199.45.155.101","ts":"2026-06-07 15:56:49.000000","proto":"tcp","src_port":57864,"dst_port":1963,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/login","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u0022df1fa056ede7bb4d9931324d42f1394e668ba780\u0022, \u0022http_target_hash\u0022: \u0022c42c80aa06113268fddf90dfdc871fb7318ff5cf\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 166, \u0022payload_entropy\u0022: 5.171516558230478, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 67.5, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220722f73f3d6efcaba5608a105fadf3ab08fdcaa8\u0022, \u0022event_fingerprint\u0022: \u0022f55b7affa879afa3a6160f733bd4f709079d7b46\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u0022ec51be208873cf551c9079ceafe08bfc\u0022, \u0022path_pattern_hash\u0022: \u00227e93fba0bc7adda858a2500090e639e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222185db4dbeb393fd1230ef9429d18d78fcc3548c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/login\u0022, \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1963 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/login\u0022, \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1963 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/login\u0022, \u0022evidence_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1963","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":166},{"id":8508909,"ip":"199.45.155.101","ts":"2026-06-07 15:56:45.000000","proto":"tcp","src_port":57836,"dst_port":1963,"service":"http","classification":"web_scanner","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u0022df1fa056ede7bb4d9931324d42f1394e668ba780\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 161, \u0022payload_entropy\u0022: 5.174947819036265, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 75.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b0e8ce577f05611a95b1be5fe5ba699731122363\u0022, \u0022event_fingerprint\u0022: \u00229a0ce17a9eb09412323d3697c23eb1fd50cf67ec\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 145, \u0022precision_signals\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u0022a4855417ec2b77af13aa538fdec64655\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1595\u0022], \u0022mitre\u0022: \u0022T1595\u0022, \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5a50f40326a5471de3e4fb36532c22eaab56a65\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 47}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 47, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Scanner Censys\u0022, \u0022Upstream\u0022, \u0022Waf Score\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1595\u0022, \u0022mitre_technique\u0022: \u0022T1595\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022web scanner \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccep\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 5 tag(s) WAF\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1963","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":161},{"id":8508910,"ip":"199.45.155.101","ts":"2026-06-07 15:56:45.000000","proto":"tcp","src_port":57852,"dst_port":1963,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"PRI","http_target":"*","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022df58248c414f342c81e056b40bee12d17a08bf61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022PRI\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 24, \u0022payload_entropy\u0022: 3.66829583405449, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022edb4641bd7aec40a359d68f99204080ec29a8e11\u0022, \u0022event_fingerprint\u0022: \u0022aded635bb75b03e9fe8720e734faf90b34d7173a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%\u0022, \u0022confidence\u0022: 0.34, \u0022classification_confidence\u0022: 0.34, \u0022precision_score\u0022: 40, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-single-port\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 34.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bd71964d35f553a9e1d0cddcb5864e08\u0022, \u0022path_pattern_hash\u0022: \u0022684888c0ebb17f374298b65ee2807526\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 33}, \u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228306af2ad03223f75bb619c46f358b25f0950d7f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 34 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%\u0022, \u0022confidence_pct\u0022: 34, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022PRI\u0022, \u0022http_path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe) \u00b7 \u2192 *\u0022, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 34 % \u2014 1 signal(aux) capteur\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022]","anomalies":"[]","severity":1,"bytes_in":24},{"id":8508907,"ip":"199.45.155.101","ts":"2026-06-07 15:56:44.000000","proto":"tcp","src_port":57826,"dst_port":1963,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.828318015987139, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022aec791e069ea8597c13e436b512e5a626e94c7a4\u0022, \u0022event_fingerprint\u0022: \u00227f6ca270d6562f05b62f0df1744b5d3d6371467e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00223ec29e6e3c09ac7758452b5fa2a7c39b\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\\u0003\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\\u0016\u072f\ufffd\\u001cV\\u0010\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\\u0002\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\\u0003\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\\u0016\u072f\ufffd\\u001cV\\u0010\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\\u0002\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 m\\u0014\ufffd\u0026\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffd;\ufffd\ufffd(\ufffd \ufffd \ufffd0\ufffd\ufffd\\u0012\ufffdN\ufffd\ufffd\\u001d4\ufffdz\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\\u0003\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\\u0016\u072f\ufffd\\u001cV\\u0010\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\\u0002\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\\u0003\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\\u0016\u072f\ufffd\\u001cV\\u0010\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\\u0002\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 m\\u0014\ufffd\u0026\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffd;\ufffd\ufffd(\ufffd \ufffd \ufffd0\ufffd\ufffd\\u0012\ufffdN\ufffd\ufffd\\u001d4\ufffdz\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003e:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\\u0003\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\\u0016\u072f\ufffd\\u001cV\\u0010\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\\u0002\ufffd\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228ca203e6e750016513da413aba288ba82598f803\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\u072f\ufffdV\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffde:\ufffd%\ufffd\ufffd_~\ufffd\ufffd\ufffd\ufffd\ufffdqp\ufffd\u003CC\ufffd`\ufffd\ufffd+=\ufffd\ufffd\ufffdK \ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd*f\u07fd\ufffdy\u072f\ufffdV\ufffd\ufffd\ufffdH\ufffd\ufffdR\ufffdo\ufffd\ufffd\ufffd\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8508905,"ip":"199.45.155.101","ts":"2026-06-07 15:56:41.000000","proto":"tcp","src_port":57820,"dst_port":1963,"service":"http","classification":"web_probe","waf_score":8,"waf_tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022df1fa056ede7bb4d9931324d42f1394e668ba780\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 154, \u0022payload_entropy\u0022: 5.266371705338797, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 40.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a70d7b7022a76ec56c11d3666ac5f5fd4e51aa62\u0022, \u0022event_fingerprint\u0022: \u0022ccd56091ac2dc2808b239025d89c22481f67d967\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%\u0022, \u0022confidence\u0022: 0.34, \u0022classification_confidence\u0022: 0.34, \u0022precision_score\u0022: 40, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-single-port\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 34.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c675f8a474ce37ef5f3e70f621d3d0cb\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 38}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version:\u0022, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002223553182e39ff74cbc17cd4d5f57fe7283de3438\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version:\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 34 % \u2014 2 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 34%\u0022, \u0022confidence_pct\u0022: 34, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 40.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1963\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 9hzH9cNfeb+wyqwsgVHAvw==\\r\\nSec-WebSocket-Version:\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 34 % \u2014 2 tag(s) WAF\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1963","http_user_agent":null,"http_referer":null,"tags":"[\u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":4,"bytes_in":154},{"id":8508895,"ip":"199.45.155.101","ts":"2026-06-07 15:56:37.000000","proto":"tcp","src_port":48634,"dst_port":1963,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.774176744772711, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022aec791e069ea8597c13e436b512e5a626e94c7a4\u0022, \u0022event_fingerprint\u0022: \u00227f6ca270d6562f05b62f0df1744b5d3d6371467e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00222c343bfda1016c9467e212c8b912cb22\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022, \u0022ja4\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022}, \u0022tls_ja3\u0022: \u0022771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0\u0022, \u0022tls_ja4_hash\u0022: \u00227b5e3a15097abc10f88e98257ea51010\u0022, \u0022tls_ja4\u0022: \u0022t13d0119_86cb3216d275_cc710080a5f9\u0022, \u0022tls_version\u0022: \u00220x0303\u0022, \u0022tls_cipher_count\u0022: 19, \u0022ja3_client_category\u0022: \u0022nmap_scanner\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdW\ufffd\\u0005\ufffd\\u001bC\ufffd\ufffd\ufffd\\u0014\ufffd:\ufffd}\ufffd\\u0000\ufffd\\t\ufffdh\u018e\ufffd\\r\\u001b\ufffd#\ufffd[\ufffd \ufffd\ufffd{\\u0012\\u0011\ufffd~\ufffdq\\u0000\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdW\ufffd\\u0005\ufffd\\u001bC\ufffd\ufffd\ufffd\\u0014\ufffd:\ufffd}\ufffd\\u0000\ufffd\\t\ufffdh\u018e\ufffd\\r\\u001b\ufffd#\ufffd[\ufffd \ufffd\ufffd{\\u0012\\u0011\ufffd~\ufffdq\\u0000\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u001a]\ufffd\\u0006h\ufffd:\ufffdke\ufffd\ufffdf\ufffd!\u00cc\\u0017\ufffd\\u000e,\\u0011\/\ufffd\ufffdv\\u000e!\\r\ufffd\ufffd}\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdW\ufffd\\u0005\ufffd\\u001bC\ufffd\ufffd\ufffd\\u0014\ufffd:\ufffd}\ufffd\\u0000\ufffd\\t\ufffdh\u018e\ufffd\\r\\u001b\ufffd#\ufffd[\ufffd \ufffd\ufffd{\\u0012\\u0011\ufffd~\ufffdq\\u0000\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdW\ufffd\\u0005\ufffd\\u001bC\ufffd\ufffd\ufffd\\u0014\ufffd:\ufffd}\ufffd\\u0000\ufffd\\t\ufffdh\u018e\ufffd\\r\\u001b\ufffd#\ufffd[\ufffd \ufffd\ufffd{\\u0012\\u0011\ufffd~\ufffdq\\u0000\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \\u001a]\ufffd\\u0006h\ufffd:\ufffdke\ufffd\ufffdf\ufffd!\u00cc\\u0017\ufffd\\u000e,\\u0011\/\ufffd\ufffdv\\u000e!\\r\ufffd\ufffd}\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffdW\ufffd\\u0005\ufffd\\u001bC\ufffd\ufffd\ufffd\\u0014\ufffd:\ufffd}\ufffd\\u0000\ufffd\\t\ufffdh\u018e\ufffd\\r\\u001b\ufffd#\ufffd[\ufffd \ufffd\ufffd{\\u0012\\u0011\ufffd~\ufffdq\\u0000\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e5aebc0e4df37759f83486ce3ce8a2464f1aec4\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdW\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd:\ufffd}\ufffd\ufffd\\t\ufffdh\u018e\ufffd\\r\ufffd#\ufffd[\ufffd \ufffd\ufffd{\ufffd~\ufffdq\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-tls\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022tls_ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022port\u0022: 1963, \u0022service\u0022: \u0022tls\u0022, \u0022service_label_fr\u0022: \u0022TLS\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via TLS:1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffdW\ufffd\ufffdC\ufffd\ufffd\ufffd\ufffd:\ufffd}\ufffd\ufffd\\t\ufffdh\u018e\ufffd\\r\ufffd#\ufffd[\ufffd \ufffd\ufffd{\ufffd~\ufffdq\u070d\ufffd\\\u0022P\ufffd6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdVR!\ufffd\/@!\ufffd\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\\t\ufffd\ufffd\\n\ufffd\ufffd\/5\ufffd\\n{\u0022, \u0022target_port_label\u0022: \u00221963 \u00b7 TLS\u0022, \u0022emulator_service\u0022: \u0022tls\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022tls\u0022, \u0022service_banner\u0022: \u0022honeypot-tls\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8508894,"ip":"199.45.155.101","ts":"2026-06-07 15:56:34.000000","proto":"tcp","src_port":48632,"dst_port":1963,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226becfeb9c20c00c6b8249aacb3872c02192a0b49\u0022, \u0022event_fingerprint\u0022: \u0022a4be6cc4a8423fa085cec9b46ea256c26b87c902\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222fe3ff60f2f85aa086afca549968070f0d764286\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1963}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1963}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221963\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":8508891,"ip":"199.45.155.101","ts":"2026-06-07 15:56:30.000000","proto":"tcp","src_port":48622,"dst_port":1963,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 26, \u0022payload_entropy\u0022: 3.6235166412180138, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 1963, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226becfeb9c20c00c6b8249aacb3872c02192a0b49\u0022, \u0022event_fingerprint\u0022: \u0022a4be6cc4a8423fa085cec9b46ea256c26b87c902\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0577\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b7348cda1310dd8e9699ce5ceda794a9\u0022, \u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1963, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022\\u0001\\u0001\\u0000\\u001a\\u0000\\u0000\\u0000\\u0000x\ufffd\\u0000\\u0003\\u0000\\fIBETH01N0_M\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0001\\u0001\\u0000\\u001a\\u0000\\u0000\\u0000\\u0000x\ufffd\\u0000\\u0003\\u0000\\fIBETH01N0_M\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\\u0001\\u0000\\u001a\\u0000\\u0000\\u0000\\u0000x\ufffd\\u0000\\u0003\\u0000\\fIBETH01N0_M\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001\\u0001\\u0000\\u001a\\u0000\\u0000\\u0000\\u0000x\ufffd\\u0000\\u0003\\u0000\\fIBETH01N0_M\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\\u0001\\u0000\\u001a\\u0000\\u0000\\u0000\\u0000x\ufffd\\u0000\\u0003\\u0000\\fIBETH01N0_M\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002273527e32a119c2d949d7f725b1086d9be5001686\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1963}, \u0022evidence_snippet\u0022: \u0022x\ufffdIBETH01N0_M\u0022, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 1963 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221963\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 1963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0577\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0577\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 1963}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 1963 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022x\ufffdIBETH01N0_M\u0022, \u0022target_port_label\u0022: \u00221963\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":26},{"id":8427567,"ip":"199.45.155.101","ts":"2026-06-07 02:12:28.000000","proto":"tcp","src_port":53866,"dst_port":5900,"service":"vnc","classification":"vnc_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022524642203030332e3030380a\u0022, \u0022emulator_response_len\u0022: 12, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.9182958340544896, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022vnc\u0022, \u0022app_proto\u0022: \u0022vnc\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 5900, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226d3dc0fa8adf2e2938379a8cfc97b986901e95fd\u0022, \u0022event_fingerprint\u0022: \u00223a1818c09cc3b5e6ad75703011c0dde91c1bf15b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab vnc_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022, \u0022confidence\u0022: 0.71, \u0022classification_confidence\u0022: 0.71, \u0022precision_score\u0022: 79, \u0022precision_signals\u0022: [\u0022pat-0552\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0552\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0552\u0022], \u0022matched_pattern_names\u0022: [\u0022VNC RFB 3.8\u0022], \u0022pattern_ids\u0022: [\u0022pat-0552\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022vnc\u0022, \u0022risk_confidence_factor\u0022: 71.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002259ac080647b56a2a43715cdf9e630c46\u0022, \u0022path_pattern_hash\u0022: \u002261f146998107ee0d48dcdbbf16d99fc0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5900, \u0022service\u0022: \u0022vnc\u0022, \u0022service_name\u0022: \u0022vnc\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022RFB 003.008\\n\u0022, \u0022request_sample\u0022: \u0022RFB 003.008\\n\u0022, \u0022payload_snippet\u0022: \u0022RFB 003.008\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022RFB 003.008\\n\u0022, \u0022payload_snippet\u0022: \u0022RFB 003.008\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab vnc_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223625caf46fdd76ec2bebe348d702174c99073786\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022vnc\u0022, \u0022service_banner\u0022: \u0022honeypot-vnc\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225900\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022probe\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_vnc_probe\u0022, \u0022vnc_banner\u0022, \u0022vnc_emulated\u0022, \u0022vnc_payload\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_vnc_probe\u0022, \u0022vnc_banner\u0022, \u0022vnc_emulated\u0022, \u0022vnc_payload\u0022]","anomalies":"[]","severity":6,"bytes_in":12},{"id":8380076,"ip":"199.45.155.101","ts":"2026-06-06 09:36:17.000000","proto":"tcp","src_port":47442,"dst_port":831,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.816479409616051, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 23, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002269e1578f8a1c61533864a34387ba008cb4f0b297\u0022, \u0022event_fingerprint\u0022: \u0022335006aa0a0d78d092cc7d6d9701b7d56338c3d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022a27b7b78e9bae6ce2943845485b5de65\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000b\ufffdF\\u0017H\ufffd6\ufffd\\u001b\ufffda8\/w5\ufffd^b\ufffdZi3\\t\ufffd\ufffd*\ufffd\ufffd\u05ce\ufffd\u0026 \ufffd\ufffd\ufffd\\u001c\ufffd\\u0016\ufffd\ufffd%2\ufffdB\ufffd\ufffdB\\u001d\ufffd:\\t\\u0017 \ufffd\ufffdv\\u0012~!\ufffd\ufffda\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000b\ufffdF\\u0017H\ufffd6\ufffd\\u001b\ufffda8\/w5\ufffd^b\ufffdZi3\\t\ufffd\ufffd*\ufffd\ufffd\u05ce\ufffd\u0026 \ufffd\ufffd\ufffd\\u001c\ufffd\\u0016\ufffd\ufffd%2\ufffdB\ufffd\ufffdB\\u001d\ufffd:\\t\\u0017 \ufffd\ufffdv\\u0012~!\ufffd\ufffda\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 r\ufffdR\ufffd\ufffd\\nW!-\ufffdw\ufffd\u04d2\ufffd[\ufffd\ufffd\\u001f\ufffd\\t\\u0004\\f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO03\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000b\ufffdF\\u0017H\ufffd6\ufffd\\u001b\ufffda8\/w5\ufffd^b\ufffdZi3\\t\ufffd\ufffd*\ufffd\ufffd\u05ce\ufffd\u0026 \ufffd\ufffd\ufffd\\u001c\ufffd\\u0016\ufffd\ufffd%2\ufffdB\ufffd\ufffdB\\u001d\ufffd:\\t\\u0017 \ufffd\ufffdv\\u0012~!\ufffd\ufffda\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000b\ufffdF\\u0017H\ufffd6\ufffd\\u001b\ufffda8\/w5\ufffd^b\ufffdZi3\\t\ufffd\ufffd*\ufffd\ufffd\u05ce\ufffd\u0026 \ufffd\ufffd\ufffd\\u001c\ufffd\\u0016\ufffd\ufffd%2\ufffdB\ufffd\ufffdB\\u001d\ufffd:\\t\\u0017 \ufffd\ufffdv\\u0012~!\ufffd\ufffda\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 r\ufffdR\ufffd\ufffd\\nW!-\ufffdw\ufffd\u04d2\ufffd[\ufffd\ufffd\\u001f\ufffd\\t\\u0004\\f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdO03\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\\u000b\ufffdF\\u0017H\ufffd6\ufffd\\u001b\ufffda8\/w5\ufffd^b\ufffdZi3\\t\ufffd\ufffd*\ufffd\ufffd\u05ce\ufffd\u0026 \ufffd\ufffd\ufffd\\u001c\ufffd\\u0016\ufffd\ufffd%2\ufffdB\ufffd\ufffdB\\u001d\ufffd:\\t\\u0017 \ufffd\ufffdv\\u0012~!\ufffd\ufffda\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e9d6b5499e3d84aad9ddb81bf9b463cc6ae9c6e4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8380078,"ip":"199.45.155.101","ts":"2026-06-06 09:36:17.000000","proto":"tcp","src_port":47456,"dst_port":831,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/login","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u0022d9b6cbfc65f84989db203e017e442a9ca4e8a4e8\u0022, \u0022http_target_hash\u0022: \u0022c42c80aa06113268fddf90dfdc871fb7318ff5cf\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 165, \u0022payload_entropy\u0022: 5.1615658691710875, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 67.5, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 67.5, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229419d8fd5d1fe2a75c24fb0af82107383c912bb9\u0022, \u0022event_fingerprint\u0022: \u00220191ade2de98a79b7d7e905f0a038358174e8572\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u0022f4d32f858cbb2283ee4692884534bf6a\u0022, \u0022path_pattern_hash\u0022: \u00227e93fba0bc7adda858a2500090e639e4\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/login\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/login HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/login HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022, \u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c90d9c9a7dbc3cac8bf539d05a282461bc7629b4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:831","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_login\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":165},{"id":8380067,"ip":"199.45.155.101","ts":"2026-06-06 09:36:13.000000","proto":"tcp","src_port":47440,"dst_port":831,"service":"http","classification":"postgres_probe","waf_score":0,"waf_tags":"[]","http_method":"PRI","http_target":"*","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022df58248c414f342c81e056b40bee12d17a08bf61\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022PRI\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 57, \u0022payload_entropy\u0022: 3.474882067394362, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 16, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002283e0d723753ceeb38b4124aca5c1583110d89cd9\u0022, \u0022event_fingerprint\u0022: \u00229afb0347edb3916f9aabf5a1b90f51c71d5349c0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0369\u0022, \u0022pat-0532\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022PostgreSQL startup\u0022, \u0022NFS RPC mount\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0369\u0022, \u0022pat-0532\u0022, \u0022pat-0554\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fe3435fc30fb19e768a81e744ede3fba\u0022, \u0022path_pattern_hash\u0022: \u0022684888c0ebb17f374298b65ee2807526\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022PRI\u0022, \u0022path\u0022: \u0022*\u0022, \u0022request_line\u0022: \u0022PRI * HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\n\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0018\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000Bh\\u0000\\u0006\\u0000\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022690017ac0efe2747dca0eb7efb0f59f9f7436211\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/2.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_no_ua\u0022]","anomalies":"[]","severity":1,"bytes_in":57},{"id":8380064,"ip":"199.45.155.101","ts":"2026-06-06 09:36:12.000000","proto":"tcp","src_port":47408,"dst_port":831,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.840958162299485, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 23, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002269e1578f8a1c61533864a34387ba008cb4f0b297\u0022, \u0022event_fingerprint\u0022: \u0022335006aa0a0d78d092cc7d6d9701b7d56338c3d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u0022907684ba130904139d59d3b5b88e2128\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00034,\ufffdv!`\ufffd\ufffd\\u000e\u043a\\u0006\ufffdG\\u0010\ufffd\ufffd\ufffdc\ufffdf\ufffd\ufffdL\\u0002R-\ufffd\ufffd\ufffd \ufffd\ufffd\\u0010T}\ufffd\ufffd\ufffd-d\/D\u003Ea\\u0019\u003C\ufffdXI\ufffd\ufffd4\ufffd\\u000e\ufffd\\f,f`q\\u0010\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00034,\ufffdv!`\ufffd\ufffd\\u000e\u043a\\u0006\ufffdG\\u0010\ufffd\ufffd\ufffdc\ufffdf\ufffd\ufffdL\\u0002R-\ufffd\ufffd\ufffd \ufffd\ufffd\\u0010T}\ufffd\ufffd\ufffd-d\/D\u003Ea\\u0019\u003C\ufffdXI\ufffd\ufffd4\ufffd\\u000e\ufffd\\f,f`q\\u0010\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u0172hh\ufffdKS\ufffdH\ufffd\ufffd\\r\ufffd\ufffdO\\u001a\ufffd\ufffd\ufffdav\\t\\u001e\\fC\ufffdZA:\ufffd=h\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00034,\ufffdv!`\ufffd\ufffd\\u000e\u043a\\u0006\ufffdG\\u0010\ufffd\ufffd\ufffdc\ufffdf\ufffd\ufffdL\\u0002R-\ufffd\ufffd\ufffd \ufffd\ufffd\\u0010T}\ufffd\ufffd\ufffd-d\/D\u003Ea\\u0019\u003C\ufffdXI\ufffd\ufffd4\ufffd\\u000e\ufffd\\f,f`q\\u0010\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00034,\ufffdv!`\ufffd\ufffd\\u000e\u043a\\u0006\ufffdG\\u0010\ufffd\ufffd\ufffdc\ufffdf\ufffd\ufffdL\\u0002R-\ufffd\ufffd\ufffd \ufffd\ufffd\\u0010T}\ufffd\ufffd\ufffd-d\/D\u003Ea\\u0019\u003C\ufffdXI\ufffd\ufffd4\ufffd\\u000e\ufffd\\f,f`q\\u0010\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 \u0172hh\ufffdKS\ufffdH\ufffd\ufffd\\r\ufffd\ufffdO\\u001a\ufffd\ufffd\ufffdav\\t\\u001e\\fC\ufffdZA:\ufffd=h\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u00034,\ufffdv!`\ufffd\ufffd\\u000e\u043a\\u0006\ufffdG\\u0010\ufffd\ufffd\ufffdc\ufffdf\ufffd\ufffdL\\u0002R-\ufffd\ufffd\ufffd \ufffd\ufffd\\u0010T}\ufffd\ufffd\ufffd-d\/D\u003Ea\\u0019\u003C\ufffdXI\ufffd\ufffd4\ufffd\\u000e\ufffd\\f,f`q\\u0010\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002216f29873e21036e803d36f8530fbb815870086f0\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8380066,"ip":"199.45.155.101","ts":"2026-06-06 09:36:12.000000","proto":"tcp","src_port":47424,"dst_port":831,"service":"http","classification":"web_scanner","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u0022d9b6cbfc65f84989db203e017e442a9ca4e8a4e8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 160, \u0022payload_entropy\u0022: 5.164984229189773, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 75.0, \u0022risk_classification\u0022: 42.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 75.0, \u0022classification\u0022: 42.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 48, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228426f92ca92e46e50fe384dc410fa56d7b203d20\u0022, \u0022event_fingerprint\u0022: \u00227c13519e6dc79e60b761f2cd8871452942693268\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 145, \u0022precision_signals\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-scanner-censys\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022UA censys\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0431\u0022], \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002232e8fb3a921e31a4753da44965548f23\u0022, \u0022payload_hash\u0022: \u002261e2846acfda95b3c6ba02c3369d72bc\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept: *\/*\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\\r\\nAccept\u0022, \u0022classification_reason\u0022: \u0022User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022disclosed_scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224a53924fbfedfe8c589cc7751c1530b1c3bcdcfa\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:831","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022http_ua_disclosed_scanner\u0022]","anomalies":"[]","severity":3,"bytes_in":160},{"id":8380059,"ip":"199.45.155.101","ts":"2026-06-06 09:36:08.000000","proto":"tcp","src_port":39584,"dst_port":831,"service":"http","classification":"lfi_path_traversal","waf_score":22,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d9b6cbfc65f84989db203e017e442a9ca4e8a4e8\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 153, \u0022payload_entropy\u0022: 5.25254512992928, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 96.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 35.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 96.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 35.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f2dd25d1303a44697ca478cbef9f14eea4c8a092\u0022, \u0022event_fingerprint\u0022: \u0022862386118555c292e10d1000908312976addf670\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227bd7b386b61e1ace88d059dc19ac2b21\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022http\u0022}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 5R\/ny\/5AQR10liiLNAfttQ==\\r\\nSec-WebSocket-Version: 1\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 5R\/ny\/5AQR10liiLNAfttQ==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 5R\/ny\/5AQR10liiLNAfttQ==\\r\\nSec-WebSocket-Version: 1\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022, \u0022websocket-anomaly\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 5R\/ny\/5AQR10liiLNAfttQ==\\r\\nSec-WebSocket-Version: 13\\r\\nUpgrade: websocket\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:831\\r\\nConnection: Upgrade\\r\\nSec-WebSocket-Key: 5R\/ny\/5AQR10liiLNAfttQ==\\r\\nSec-WebSocket-Version: 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f171abc23297747079bb5579df3c1c08808fcbd4\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:831","http_user_agent":null,"http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022, \u0022951040:websocket-anomaly\u0022, \u0022http_no_ua\u0022]","anomalies":"[]","severity":10,"bytes_in":153},{"id":8380054,"ip":"199.45.155.101","ts":"2026-06-06 09:36:04.000000","proto":"tcp","src_port":39570,"dst_port":831,"service":"tls","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022tls_ja3_hash\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022tls_sni\u0022: null, \u0022tls_weak_cipher\u0022: true, \u0022tls_weak_cipher_count\u0022: 4, \u0022bytes_in\u0022: 243, \u0022payload_entropy\u0022: 5.831108590548283, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022tls\u0022, \u0022app_proto\u0022: \u0022tls\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 6, \u0022risk_granularity\u0022: 5.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 23, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002269e1578f8a1c61533864a34387ba008cb4f0b297\u0022, \u0022event_fingerprint\u0022: \u0022335006aa0a0d78d092cc7d6d9701b7d56338c3d9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL startup\u0022, \u0022Minecraft varint handshake\u0022, \u0022SOCKS5 greeting\u0022, \u0022SIP TLS ClientHello\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0369\u0022, \u0022pat-0554\u0022, \u0022pat-0567\u0022, \u0022pat-0578\u0022, \u0022pat-0536\u0022], \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022ja3\u0022: \u002235fa0a83e466acbec1cfbb9016d550ab\u0022, \u0022payload_hash\u0022: \u00224b1a15dd3bce0f6d0fd0196fca85a66e\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831, \u0022service\u0022: \u0022tls\u0022}, \u0022payload_preview\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u000fr\\u000f\ufffd\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\ufffds\ufffd)(\ufffd\ufffdq=\ufffdA\ufffd1\\u0004\ufffd\\u0019\ufffdb !\ufffd\\f\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\\u0013\ufffdR\\u0012\\u0011\ufffd\/\ufffd\ufffd\\u0010\ufffd\ufffdXd_\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u000fr\\u000f\ufffd\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\ufffds\ufffd)(\ufffd\ufffdq=\ufffdA\ufffd1\\u0004\ufffd\\u0019\ufffdb !\ufffd\\f\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\\u0013\ufffdR\\u0012\\u0011\ufffd\/\ufffd\ufffd\\u0010\ufffd\ufffdXd_\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 1\ufffd\ufffd\ufffdj\ufffd\\u0019L\\u001d\\u0005\ufffd\ufffd\\u0002*\ufffd\ufffdp\\u00055\\f\ufffd}\ufffd]G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u000fr\\u000f\ufffd\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\ufffds\ufffd)(\ufffd\ufffdq=\ufffdA\ufffd1\\u0004\ufffd\\u0019\ufffdb !\ufffd\\f\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\\u0013\ufffdR\\u0012\\u0011\ufffd\/\ufffd\ufffd\\u0010\ufffd\ufffdXd_\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u000fr\\u000f\ufffd\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\ufffds\ufffd)(\ufffd\ufffdq=\ufffdA\ufffd1\\u0004\ufffd\\u0019\ufffdb !\ufffd\\f\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\\u0013\ufffdR\\u0012\\u0011\ufffd\/\ufffd\ufffd\\u0010\ufffd\ufffdXd_\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\n\\u0000\\n\\u0000\\b\\u0000\\u001d\\u0000\\u0017\\u0000\\u0018\\u0000\\u0019\\u0000\\u000b\\u0000\\u0002\\u0001\\u0000\\u0000\\r\\u0000\\u001a\\u0000\\u0018\\b\\u0004\\u0004\\u0003\\b\\u0007\\b\\u0005\\b\\u0006\\u0004\\u0001\\u0005\\u0001\\u0006\\u0001\\u0005\\u0003\\u0006\\u0003\\u0002\\u0001\\u0002\\u0003\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000+\\u0000\\t\\b\\u0003\\u0004\\u0003\\u0003\\u0003\\u0002\\u0003\\u0001\\u00003\\u0000\u0026\\u0000$\\u0000\\u001d\\u0000 1\ufffd\ufffd\ufffdj\ufffd\\u0019L\\u001d\\u0005\ufffd\ufffd\\u0002*\ufffd\ufffdp\\u00055\\f\ufffd}\ufffd]G\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\u0022, \u0022payload_snippet\u0022: \u0022\\u0016\\u0003\\u0001\\u0000\ufffd\\u0001\\u0000\\u0000\ufffd\\u0003\\u0003\ufffd\\u000fr\\u000f\ufffd\ufffdd\ufffd\\u0003\ufffd\ufffd\ufffd\ufffds\ufffd)(\ufffd\ufffdq=\ufffdA\ufffd1\\u0004\ufffd\\u0019\ufffdb !\ufffd\\f\ufffd-\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u003C\ufffd\ufffd\ufffd\ufffd\\u0013\ufffdR\\u0012\\u0011\ufffd\/\ufffd\ufffd\\u0010\ufffd\ufffdXd_\ufffd\\u0000\u0026\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\\u0013\ufffd\\t\ufffd\\u0014\ufffd\\n\\u0000\ufffd\\u0000\ufffd\\u0000\/\\u00005\ufffd\\u0012\\u0000\\n\\u0013\\u0003\\u0013\\u0001\\u0013\\u0002\\u0001\\u0000\\u0000{\\u0000\\u0005\\u0000\\u0005\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022aa49b66c31cddd70c709ecdad0cd2cf65a86dca4\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]}","tls_sni":null,"tls_ja3_hash":"35fa0a83e466acbec1cfbb9016d550ab","tls_ja3":"771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0","http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022tls_ja3\u0022, \u0022tls_no_sni\u0022, \u0022tls_weak_cipher\u0022]","anomalies":"[]","severity":4,"bytes_in":243},{"id":8380053,"ip":"199.45.155.101","ts":"2026-06-06 09:36:01.000000","proto":"tcp","src_port":39558,"dst_port":831,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 831, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 18, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022038e18c57388d4b979cdc1881735c1f1f233b02b\u0022, \u0022event_fingerprint\u0022: \u00221a4f92d93a89ad7d6efd874bd155c26b0e7961b4\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-single-port\u0022], \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 398722, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 831}, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e565af206a65567483ee801a5a1a6906a8f8d486\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":7909262,"ip":"199.45.155.101","ts":"2026-05-28 22:34:35.000000","proto":"tcp","src_port":12428,"dst_port":2323,"service":"http","classification":"web_attack","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/security.txt","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u00225f5db91a9e2e02c1396d851db979a6f7b4d4b364\u0022, \u0022http_host_hash\u0022: \u0022a94e72af39dadcf61f404df2c7c05b0079ff3d4f\u0022, \u0022http_target_hash\u0022: \u002235388aa39f105600011ad0e7ab2a90933c84d4f3\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.162209423628474, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Censys, Inc.\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 398722, \u0022country\u0022: \u0022US\u0022, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022risk_score\u0022: 100, \u0022campaign_key\u0022: \u0022f7e0073668b095dcac04056633fa4cfcbcbb8391\u0022, \u0022event_fingerprint\u0022: \u002289826c6cb0d3606a28a0ff0fc22e112ae5c53286\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2323","http_user_agent":"Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":173}],"total_events":104}