|
|
TCP |
30164 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:30164 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
30164
Chemin / cible
—
Service
TLS
Payload
�����������u�CO���'q�b=��x������2�t�~��E$ �ʊ���c#�[��Y�W���BT��34�T������&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������u�CO���'q�b=��x������2�t�~��E$ �ʊ���c#�[��Y�W���BT��34�T������&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������u�CO���'q�b=��x������2�t�~��E$ �ʊ���c#�[��Y�W���BT��34�T������&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �S�e����d��sҡ�%w���O"�$��X�"|�
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.860738026144017,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "791f3848299f3dd88b1a2ecf28f61b9803d084ec",
"event_fingerprint": "325b974113283d529e525ab20794f9b3231d53c8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "bd97d2ef37767120c43844ed80202740",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 30164,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003u\ufffdCO\ufffd\ufffd\ufffd'q\u0017b=\u0010\ufffdx\ufffd\ufffd\ufffd\ufffd\u0004\b2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd\u001c\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003u\ufffdCO\ufffd\ufffd\ufffd'q\u0017b=\u0010\ufffdx\ufffd\ufffd\ufffd\ufffd\u0004\b2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd\u001c\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdS\u0000e\ufffd\ufffd\ufffd\ufffdd\ufffd\ufffds\u04a1\ufffd%w\ufffd\ufffd\ufffdO\"\ufffd$\ufffd\ufffdX\ufffd\"|\u0018",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003u\ufffdCO\ufffd\ufffd\ufffd'q\u0017b=\u0010\ufffdx\ufffd\ufffd\ufffd\ufffd\u0004\b2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd\u001c\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cfdf06597717005229830532bc4cbdec167a2e6e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003u\ufffdCO\ufffd\ufffd\ufffd'q\u0017b=\u0010\ufffdx\ufffd\ufffd\ufffd\ufffd\u0004\b2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd\u001c\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdu\ufffdCO\ufffd\ufffd\ufffd'qb=\ufffdx\ufffd\ufffd\ufffd\ufffd2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003u\ufffdCO\ufffd\ufffd\ufffd'q\u0017b=\u0010\ufffdx\ufffd\ufffd\ufffd\ufffd\u0004\b2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd\u001c\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdu\ufffdCO\ufffd\ufffd\ufffd'qb=\ufffdx\ufffd\ufffd\ufffd\ufffd2\ufffdt\ufffd~\ufffd\ufffdE$ \ufffd\u028a\ufffd\ufffd\ufffdc#\ufffd[\ufffd\ufffdY\ufffdW\ufffd\ufffd\ufffdBT\ufffd\ufffd34\ufffdT\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
30164 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:30164 · (sonde / probe) · → /.well-known/security.txt
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /.well-known/security.txt UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
33
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/.well-known/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30164
Chemin / cible
/.well-known/security.txt
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 50 % — 5 tag(s) WAF
Signaux
Scanner Censys
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MITRE T1595 active scan
LFI Double-dot bypass
Probe /.well-known/
UA censys
Ligne de requête
GET /.well-known/security.txt HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /.well-known/security.txt HTTP/1.1
Host: 62.3.50.33:30164
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https:/
Requête brute (extrait)
GET /.well-known/security.txt HTTP/1.1 Host: 62.3.50.33:30164 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "390c71f7322278c645a1b9631cd16791a328365f",
"http_target_hash": "45c9b9d0d93f4f7ad3de5a5667f00a2d2df4266d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 186,
"payload_entropy": 5.220453085847924,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 82.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "2428fd2cf457dfc7dc74650eb37699d6311e6e61",
"event_fingerprint": "5bbd6459fc61fa401f41c61881d628c8ca644f20",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 115,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream"
],
"matched_patterns": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"matched_pattern_names": [
"MITRE T1595 active scan",
"LFI Double-dot bypass",
"Probe \/.well-known\/",
"UA censys"
],
"pattern_ids": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "db66ca11145661db5ee8b02a51835ecc",
"path_pattern_hash": "c8b429a17a0f3584726a903b01671348"
},
"target_context": {
"dst_port": 30164,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"evidence": {
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ff8e1664de92577431818ccbd3bde3f64e753236",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"attack_vector": "web scanner \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 82 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
30164 · HTTP
|
http
|
Sonde PostgreSQL
postgres probe · via HTTP:30164 · (sonde / probe) · → *
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
PRI *
Émulateur
HTTP
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
30164
Chemin / cible
*
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
PostgreSQL startup
ET H.323 setup
NFS RPC mount
Minecraft varint handshake
Ligne de requête
PRI * HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
�������������������Bh��������
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.5,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a00a572f9fbb5e81c1ac91c41349700566d822a3",
"event_fingerprint": "8b4660de0b2b80b46c178c84396345844a980d0f",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"PostgreSQL startup",
"ET H.323 setup",
"NFS RPC mount",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe3435fc30fb19e768a81e744ede3fba",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"target_context": {
"dst_port": 30164,
"service": "http",
"service_name": "http",
"risk_score": 35
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"evidence": {
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21bddd675b38a4aec7e051a561cee0027bd23cbd",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"attack_vector": "postgres probe \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "postgres probe \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
30164 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:30164 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
30164
Chemin / cible
—
Service
TLS
Payload
������������6����� &����Yuc+Q���K��XF*��oS@ �����=]2'��3�-���T�G��.�D��rA���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������6������&����Yuc+Q���K��XF*��oS@ �����=]2'��3�-���T�G��.�D��rA���&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������6����� &����Yuc+Q���K��XF*��oS@ �����=]2'��3�-���T�G��.�D��rA���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �@��N ��y��*���K�xk �UP��$n�5
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.865702713826336,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "791f3848299f3dd88b1a2ecf28f61b9803d084ec",
"event_fingerprint": "325b974113283d529e525ab20794f9b3231d53c8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "ab9d6b340771d70f5eee60c328cae81d",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 30164,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u0001\ufffd\u001c\ufffd\f&\ufffd\u0012\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u0001\ufffd\u001c\ufffd\f&\ufffd\u0012\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\ufffd\ufffdN\f\ufffd\ufffdy\ufffd\ufffd*\ufffd\ufffd\ufffdK\ufffdxk\r\ufffdUP\u0017\ufffd$n\ufffd5",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u0001\ufffd\u001c\ufffd\f&\ufffd\u0012\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "72b65e1ddd19e7a252f9b1c67759fb168c5de72a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u0001\ufffd\u001c\ufffd\f&\ufffd\u0012\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd&\ufffd\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u0001\ufffd\u001c\ufffd\f&\ufffd\u0012\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffd&\ufffd\ufffd\ufffdYuc+Q\ufffd\ufffd\ufffdK\ufffd\ufffdXF*\ufffd\ufffdoS@ \ufffd\ufffd\ufffd\ufffd\ufffd=]2'\ufffd\ufffd3\ufffd-\ufffd\ufffd\ufffdT\ufffdG\ufffd\ufffd.\ufffdD\ufffd\ufffdrA\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
30164 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:30164 · (sonde / probe)
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30164
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 5 tag(s) WAF
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30164
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Acce
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:30164 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "390c71f7322278c645a1b9631cd16791a328365f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 162,
"payload_entropy": 5.180183916379821,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 75,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "33c13536c2ec61a9fc69b0d3b18e07559dd0a095",
"event_fingerprint": "f5bcea82e9e571ae31cbb2da29dfe12f54e9f1d8",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "70132d45524ebc4a15e21ab83600004f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 30164,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cbb878389885b56d5d0c3c954268d848d096c3bd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"attack_vector": "web scanner \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
30164 · HTTP
|
http
|
Sonde HTTP
Sonde HTTP · via HTTP:30164 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /
Émulateur
HTTP
WAF
8
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
951040:websocket-anomaly
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
30164
Chemin / cible
/
Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74%
Confiance classification
82%
Corrélation +8
Risque capteur
Moyen
· 40
Confiance : Confiance 74 % — Score WAF 40 · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
websocket-anomaly
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:30164
Connection: Upgrade
Sec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==
Sec-WebSocket-Version:
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:30164 Connection: Upgrade Sec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg== Sec-WebSocket-Version: 13 Upgrade: websocket
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "390c71f7322278c645a1b9631cd16791a328365f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 155,
"payload_entropy": 5.3374188560316,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 40,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "df28e9ad0595bb4f7652aea04c01f294380517f2",
"event_fingerprint": "e3d0e1c33e14e4ac4a8a1a6d5a6f69b6ad5c8944",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dcdded16d1a1a4157ef6259930e69ee9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"service_name": "http",
"target_context": {
"dst_port": 30164,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version:",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"websocket-anomaly"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version:",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"websocket-anomaly"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version:",
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%"
},
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"confidence_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.82,
"classification_confidence": 0.82,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "43552424fbb07040c97c698d5c5f64e610c2a008",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version:",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 82,
"confidence_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 30164,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:30164\r\nConnection: Upgrade\r\nSec-WebSocket-Key: RhbSW8JUivE0WQxRL39OXg==\r\nSec-WebSocket-Version:",
"target_port_label": "30164 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 82 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly",
"http_no_ua"
]
}
|
|
|
TCP |
30164 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:30164 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
30164
Chemin / cible
—
Service
TLS
Payload
������������n$[����_.ċ�2I�<5D�y=��?x�V�o� �+��0M��:L��d���N�����0�@1D� ��C�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������n$[����_.ċ�2I�<5D�y=��?x�V�o� �+��0M��:L��d���N�����0�@1D� ��C�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������n$[����_.ċ�2I�<5D�y=��?x�V�o� �+��0M��:L��d���N�����0�@1D� ��C�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��$�?�����A���˟�?&|������h�%��
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.823781621594723,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "791f3848299f3dd88b1a2ecf28f61b9803d084ec",
"event_fingerprint": "325b974113283d529e525ab20794f9b3231d53c8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "0fff0ebbe167bef58aeb99014cdf21fb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 30164,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b\u00182I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\u0010\u0014\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b\u00182I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\u0010\u0014\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd$\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffd\u02df\ufffd?&|\ufffd\ufffd\ufffd\u0004\ufffd\u001dh\ufffd%\ufffd\u0014",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b\u00182I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\u0010\u0014\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47e9d2e343a5e8dd91c2a976db29c1b46918e114",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b\u00182I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\u0010\u0014\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b2I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b\u00182I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\u0010\u0014\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 30164,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdn$[\ufffd\ufffd\ufffd\ufffd_.\u010b2I\ufffd<5D\ufffdy=\ufffd\ufffd?x\ufffdV\ufffdo\ufffd \ufffd+\ufffd\ufffd0M\ufffd\ufffd:L\ufffd\ufffdd\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd0\ufffd@1D\ufffd\t\ufffd\ufffdC&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "30164 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:30164",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
30164
|
—
|
Sonde port
Sonde port · port 30164 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
30164
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": null,
"app_proto": null,
"asn": 398722,
"country": "US",
"dst_port": 30164,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "a9766cc14ace867a93b96e150ddead0ca8d0893d",
"event_fingerprint": "db07428ce4c52e00256fbe95a0ee62ab1bfdbd62",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 30164,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b44159976c08ddfe5d88f1e8a399869d77c0e704",
"protocol_details": {
"port": 30164
},
"attack_vector": "Sonde port \u00b7 port 30164 \u00b7 (sonde \/ probe)",
"target_port_label": "30164",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 30164,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 30164
},
"attack_vector": "Sonde port \u00b7 port 30164 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "30164",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "30164"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:2082 · (sonde / probe) · → /ienhhhcrr8m
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET /ienhhhcrr8m UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/ienhhhcrr8m
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/ienhhhcrr8m
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /ienhhhcrr8m HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /ienhhhcrr8m HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.
Requête brute (extrait)
GET /ienhhhcrr8m HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "9365169ac34a43ac3e93d509920efe4937b05b0b",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.219163463703494,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "372744c9da2989cc6afcf88f25242044540497b8",
"event_fingerprint": "d890362744117187769a6a4dd0c7efa654b9041a",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "2416c24c859f2f22c95d7de5c4e36ef5",
"path_pattern_hash": "fee42446b26ef69e60e57c35cc3304e3"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"method": "GET",
"path": "\/ienhhhcrr8m",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/ienhhhcrr8m HTTP\/1.1",
"request_sample": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"evidence": {
"method": "GET",
"path": "\/ienhhhcrr8m",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/ienhhhcrr8m HTTP\/1.1",
"request_sample": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5b344ab4f0fcfeb80d9e19cd6f46e4ff019c1aa3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/ienhhhcrr8m",
"request_line": "GET \/ienhhhcrr8m HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/ienhhhcrr8m",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/ienhhhcrr8m",
"request_line": "GET \/ienhhhcrr8m HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/ienhhhcrr8m",
"evidence_snippet": "GET \/ienhhhcrr8m HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
Sonde PostgreSQL
postgres probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
������������q�a�)W��L���<8��Y�H�2���nxQ��^ �����^#�H�a4���#{�-e[�WYvsZ[��A��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������q�a�)W��L���<8��Y�H�2���nxQ��^ �����^#�H�a4���#{�-e[�WYvsZ[��A��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������q�a�)W��L���<8��Y�H�2���nxQ��^ �����^#�H�a4���#{�-e[�WYvsZ[��A��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� f�l�lj�����Վbw���R� �����SY�G
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 243,
"payload_entropy": 5.827003563253006,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ed613783166dd900089e41f9811da7ec01896773",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1801ba75d758200f19cdbe5b7aafc9cb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdq\ufffda\ufffd)W\ufffd\u0001L\ufffd\u0017\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\u0004\ufffd\u0010nxQ\ufffd\ufffd^ \u0017\u001a\u001a\ufffd\ufffd^#\ufffdH\ufffda4\u0002\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdq\ufffda\ufffd)W\ufffd\u0001L\ufffd\u0017\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\u0004\ufffd\u0010nxQ\ufffd\ufffd^ \u0017\u001a\u001a\ufffd\ufffd^#\ufffdH\ufffda4\u0002\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 f\ufffdl\ufffdlj\ufffd\ufffd\u0015\u0003\ufffd\u054ebw\ufffd\ufffd\ufffdR\ufffd \b\ufffd\u001f\ufffd\ufffdSY\ufffdG",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdq\ufffda\ufffd)W\ufffd\u0001L\ufffd\u0017\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\u0004\ufffd\u0010nxQ\ufffd\ufffd^ \u0017\u001a\u001a\ufffd\ufffd^#\ufffdH\ufffda4\u0002\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6ae39c384c3301f43ae9c128503acffce0e2e9b2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdq\ufffda\ufffd)W\ufffd\u0001L\ufffd\u0017\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\u0004\ufffd\u0010nxQ\ufffd\ufffd^ \u0017\u001a\u001a\ufffd\ufffd^#\ufffdH\ufffda4\u0002\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "\ufffd\ufffd\ufffdq\ufffda\ufffd)W\ufffdL\ufffd\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\ufffdnxQ\ufffd\ufffd^ \ufffd\ufffd^#\ufffdH\ufffda4\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdq\ufffda\ufffd)W\ufffd\u0001L\ufffd\u0017\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\u0004\ufffd\u0010nxQ\ufffd\ufffd^ \u0017\u001a\u001a\ufffd\ufffd^#\ufffdH\ufffda4\u0002\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdq\ufffda\ufffd)W\ufffdL\ufffd\ufffd<8\ufffd\ufffdY\ufffdH\ufffd2\ufffdnxQ\ufffd\ufffd^ \ufffd\ufffd^#\ufffdH\ufffda4\ufffd\ufffd#{\ufffd-e[\ufffdWYvsZ[\ufffd\ufffdA\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:2082 · (sonde / probe) · → /.well-known/security.txt
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /.well-known/security.txt UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
33
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/.well-known/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/.well-known/security.txt
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 50 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MITRE T1595 active scan
LFI Double-dot bypass
Probe /.well-known/
UA censys
Ligne de requête
GET /.well-known/security.txt HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /.well-known/security.txt HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://
Requête brute (extrait)
GET /.well-known/security.txt HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e3b20636861727365743d7574662d380d0a436f6e74656e742d4c656e6774683a2039350d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a436f6e74616374",
"emulator_response_len": 216,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "45c9b9d0d93f4f7ad3de5a5667f00a2d2df4266d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.2223036257689035,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 82.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 42,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "a67ebaa33743d2f7e526c52750cc000686bead70",
"event_fingerprint": "a3e81e2922950996021b0af6551deb1193ef109b",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 115,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream"
],
"matched_patterns": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"matched_pattern_names": [
"MITRE T1595 active scan",
"LFI Double-dot bypass",
"Probe \/.well-known\/",
"UA censys"
],
"pattern_ids": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "53a6bf86ff4255921c760cd58f2bf714",
"path_pattern_hash": "c8b429a17a0f3584726a903b01671348"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"evidence": {
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "135d6fff9cfb2019bcd617b0714140699df60b34",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 82 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
Sonde PostgreSQL
postgres probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
�������������«��T-g�)��bB��[�����@ �\+�l� ��u�D���A� �[0�J� ��l/x�Y����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������«��T-g�)��bB��[�����@ �\+�l� ��u�D���A� �[0�J� ��l/x�Y����&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�������������«��T-g�)��bB��[�����@ �\+�l� ��u�D���A� �[0�J� ��l/x�Y����&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �����zo���";4\�=�^$N�����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 243,
"payload_entropy": 5.778975028492432,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ed613783166dd900089e41f9811da7ec01896773",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e15ac4ff320907c2c59129bc93cf5646",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffd\u00ab\ufffd\ufffdT-g\ufffd)\u0010\u001ebB\ufffd\ufffd[\ufffd\ufffd\u0006\ufffd\ufffd@ \ufffd\\+\ufffdl\u0014 \ufffd\u0018u\ufffdD\ufffd\ufffd\u0005A\ufffd \ufffd[0\u000fJ\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffd\u00ab\ufffd\ufffdT-g\ufffd)\u0010\u001ebB\ufffd\ufffd[\ufffd\ufffd\u0006\ufffd\ufffd@ \ufffd\\+\ufffdl\u0014 \ufffd\u0018u\ufffdD\ufffd\ufffd\u0005A\ufffd \ufffd[0\u000fJ\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0019\ufffd\ufffd\ufffdzo\ufffd\u0005\u0003\";4\\\ufffd=\ufffd^$N\u001a\u0003\u0005\ufffd\u0005\ufffd\ufffd\ufffd\ufffd\ufffd\u0014",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffd\u00ab\ufffd\ufffdT-g\ufffd)\u0010\u001ebB\ufffd\ufffd[\ufffd\ufffd\u0006\ufffd\ufffd@ \ufffd\\+\ufffdl\u0014 \ufffd\u0018u\ufffdD\ufffd\ufffd\u0005A\ufffd \ufffd[0\u000fJ\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6dc3244b4cb47df414504769b5d9e09eac891f2a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffd\u00ab\ufffd\ufffdT-g\ufffd)\u0010\u001ebB\ufffd\ufffd[\ufffd\ufffd\u0006\ufffd\ufffd@ \ufffd\\+\ufffdl\u0014 \ufffd\u0018u\ufffdD\ufffd\ufffd\u0005A\ufffd \ufffd[0\u000fJ\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u00ab\ufffd\ufffdT-g\ufffd)bB\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd@ \ufffd\\+\ufffdl \ufffdu\ufffdD\ufffd\ufffdA\ufffd \ufffd[0J\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0013\ufffd\u00ab\ufffd\ufffdT-g\ufffd)\u0010\u001ebB\ufffd\ufffd[\ufffd\ufffd\u0006\ufffd\ufffd@ \ufffd\\+\ufffdl\u0014 \ufffd\u0018u\ufffdD\ufffd\ufffd\u0005A\ufffd \ufffd[0\u000fJ\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u00ab\ufffd\ufffdT-g\ufffd)bB\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd@ \ufffd\\+\ufffdl \ufffdu\ufffdD\ufffd\ufffdA\ufffd \ufffd[0J\ufffd\t\ufffd\ufffdl\/x\ufffdY\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:2082 · (sonde / probe) · → /favicon.ico
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/favicon.ico
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600",
"emulator_response_len": 130,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 178,
"payload_entropy": 5.134700721863587,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "372744c9da2989cc6afcf88f25242044540497b8",
"event_fingerprint": "28d1378face79104ada9a3e207700c7dbb296776",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "6bbda2658827c2ed1ca3fa39db02f475",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "606e9f30468cc72f9093045209f552fb887dd5ed",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:2082 · (sonde / probe)
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Accep
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2082 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.183301719458293,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 75,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "22757d6393c30add23d176355c410214dcf52a39",
"event_fingerprint": "599c0f1c4d7c64d6bc8183d5c7b712a0254b9c6c",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "61e53288a1abf9d938dd66138d62bb85",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6e9f27d31b00e86687393e666114d30731f0d157",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
2082 · HTTP
|
http
|
Sonde HTTP
Sonde HTTP · via HTTP:2082 · (sonde / probe) · → *
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
PRI *
Émulateur
HTTP
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
net_web_probe
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
2082
Chemin / cible
*
Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71%
Confiance classification
79%
Corrélation +8
Risque capteur
Moyen
· 40
Confiance : Confiance 71 % — Score WAF 8
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
PRI * HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 24,
"payload_entropy": 3.66829583405449,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 40,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1e73087575d9077aa0b0de9bab7e625d1c0dc56a",
"event_fingerprint": "ac05ff08686da988e1996802cd696745c28a3b66",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bd71964d35f553a9e1d0cddcb5864e08",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"service_name": "http",
"target_context": {
"dst_port": 2082,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"evidence": {
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%"
},
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.79,
"classification_confidence": 0.79,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "04c3c545dd0a9f9ae9f826b3ad9a4311ae3387bb",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 71 % \u2014 Score WAF 8",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 2082,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:2082 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"target_port_label": "2082 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 71 % \u2014 Score WAF 8",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"cpanel",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua",
"net_web_probe"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
Sonde PostgreSQL
postgres probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
������������,O�i ���HZ��q�@3�l溺��j3p�\� P^�Y�m��Y�Bpho2t4��� �@��V������&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������,O�i
���HZ��q�@3�l溺��j3p�\� P^�Y�m��Y�Bpho2t4���
�@��V������&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������,O�i ���HZ��q�@3�l溺��j3p�\� P^�Y�m��Y�Bpho2t4��� �@��V������&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ���k#���e��%�e�⚓�M��� ���8m
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 243,
"payload_entropy": 5.82411104491178,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ed613783166dd900089e41f9811da7ec01896773",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "afd5993f6123d585cedddfe3688b0959",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\u001f\ufffdq\u0002@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffd\u0005Y\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\b\ufffdV\u0019\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\u001f\ufffdq\u0002@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffd\u0005Y\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\b\ufffdV\u0019\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0095\ufffdk#\ufffd\ufffd\ufffde\ufffd\ufffd%\ufffde\ufffd\u2693\ufffdM\ufffd\ufffd\ufffd\r\u0001\u0012\ufffd8m",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\u001f\ufffdq\u0002@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffd\u0005Y\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\b\ufffdV\u0019\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b57cc852c447ccdb5207fc5044f71f0cab77950c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\u001f\ufffdq\u0002@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffd\u0005Y\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\b\ufffdV\u0019\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\ufffdq@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffdY\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\ufffdV\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\u001f\ufffdq\u0002@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffd\u0005Y\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\b\ufffdV\u0019\ufffd\ufffd\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd,O\ufffdi\n\ufffd\ufffd\ufffdHZ\ufffdq@3\ufffdl\uf9ec\ufffd\ufffdj3p\ufffd\\\ufffd P^\ufffdY\ufffdm\ufffdY\ufffdBpho2t4\ufffd\ufffd\ufffd\r\ufffd@\ufffdV\ufffd\ufffd\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
Sonde PostgreSQL
postgres probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
�����������E��TO2-��07�� Y�5dU�S���+� z��Y ��7V��qd������������M���ֳ����m\�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������E��TO2-��07��
Y�5dU�S���+� z��Y ��7V��qd������������M���ֳ����m\�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������E��TO2-��07�� Y�5dU�S���+� z��Y ��7V��qd������������M���ֳ����m\�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� L�:4��V�*_os'�.U���\�s����.=v,y
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 243,
"payload_entropy": 5.8420473084167295,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ed613783166dd900089e41f9811da7ec01896773",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d11d789390d183660f7441ab277f03e3",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdTO2-\ufffd\ufffd07\u0014\ufffd\rY\ufffd5dU\u0006S\ufffd\u001c\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\u0017\ufffdqd\ufffd\ufffd\u0010\ufffd\ufffd\u0010\ufffd\ufffd\u0016\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\u0002\u001c\ufffd\ufffdm\\\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdTO2-\ufffd\ufffd07\u0014\ufffd\rY\ufffd5dU\u0006S\ufffd\u001c\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\u0017\ufffdqd\ufffd\ufffd\u0010\ufffd\ufffd\u0010\ufffd\ufffd\u0016\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\u0002\u001c\ufffd\ufffdm\\\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 L\ufffd:4\ufffd\ufffdV\ufffd*_os'\ufffd.U\ufffd\ufffd\ufffd\\\ufffds\ufffd\ufffd\u001d\ufffd.=v,y",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdTO2-\ufffd\ufffd07\u0014\ufffd\rY\ufffd5dU\u0006S\ufffd\u001c\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\u0017\ufffdqd\ufffd\ufffd\u0010\ufffd\ufffd\u0010\ufffd\ufffd\u0016\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\u0002\u001c\ufffd\ufffdm\\\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7650c5ccf5d7c81f8c62d7c26dea0d05df566c62",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdTO2-\ufffd\ufffd07\u0014\ufffd\rY\ufffd5dU\u0006S\ufffd\u001c\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\u0017\ufffdqd\ufffd\ufffd\u0010\ufffd\ufffd\u0010\ufffd\ufffd\u0016\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\u0002\u001c\ufffd\ufffdm\\\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "\ufffd\ufffdE\ufffd\ufffdTO2-\ufffd\ufffd07\ufffd\rY\ufffd5dUS\ufffd\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\ufffdqd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\ufffd\ufffdm\\&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003E\ufffd\ufffdTO2-\ufffd\ufffd07\u0014\ufffd\rY\ufffd5dU\u0006S\ufffd\u001c\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\u0017\ufffdqd\ufffd\ufffd\u0010\ufffd\ufffd\u0010\ufffd\ufffd\u0016\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\u0002\u001c\ufffd\ufffdm\\\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "postgres probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdE\ufffd\ufffdTO2-\ufffd\ufffd07\ufffd\rY\ufffd5dUS\ufffd\ufffd+\ufffd\tz\ufffd\ufffdY \ufffd\ufffd7V\ufffdqd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffd\ufffd\u05b3\ufffd\ufffdm\\&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe",
"tls_clienthello"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
cpanel probe
cpanel probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
http_get_probe
net_cpanel_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
GET / HTTP/1.1 Host: 62.3.50.33:2082
Pourquoi cette classification : Type « cpanel_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 41,
"payload_entropy": 4.222690418935625,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0
},
"risk_score": 34,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f7c1167600263791b1e9ebc99a5095e02cb46b54",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "68f6260db0a870c082fb1c02676f108c",
"path_pattern_hash": "e7139612faef5d92b03716e3491ff506"
},
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f37dfce4cc82d28c814660ebc6247cf757a2364",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"attack_vector": "cpanel probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 0,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "cpanel probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"http_get_probe",
"net_cpanel_probe"
]
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
cpanel probe
cpanel probe · via CPANEL:2082 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_cpanel_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Pourquoi cette classification : Type « cpanel_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 34,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3fd7ce0c7488204fefb3517534e11698439a8072",
"event_fingerprint": "2ba81f55f1429aafe8b166faf2b84499ed62bf27",
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "e7139612faef5d92b03716e3491ff506"
},
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 34
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f363d2d7e1cbaaff645db9116c3163621cea24f1",
"protocol_details": {
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "cpanel probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab cpanel_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "cpanel probe \u00b7 via CPANEL:2082 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_cpanel_probe"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8040:8040 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
�����������Wco��co�8�F����5��i�o��Nڑbk�ƞ ���������ly>����_�H�v�;��A����V�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Wco��co�8�F����5��i�o��Nڑbk�ƞ ���������ly>����_�H�v�;��A����V�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������Wco��co�8�F����5��i�o��Nڑbk�ƞ ���������ly>����_�H�v�;��A����V�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ޥ}�q��( v��� �fo����~�&⍽���J
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.870373583305728,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a7294fb57e5d1bd7f515642bfb7d775028264167",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dbadf8a82922a2023a6bc0a3dd10f891",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wco\ufffd\u0005co\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffd\u000ei\ufffdo\ufffd\u0012N\u0691bk\ufffd\u019e \ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0000\u0010ly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wco\ufffd\u0005co\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffd\u000ei\ufffdo\ufffd\u0012N\u0691bk\ufffd\u019e \ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0000\u0010ly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u07a5}\ufffdq\ufffd\ufffd(\tv\ufffd\ufffd\u001b \ufffdfo\u000f\ufffd\u000f\ufffd~\ufffd&\u237d\ufffd\ufffd\ufffdJ",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wco\ufffd\u0005co\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffd\u000ei\ufffdo\ufffd\u0012N\u0691bk\ufffd\u019e \ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0000\u0010ly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0ccd706d6db40498779a80adcf1c0fe56f89b192",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wco\ufffd\u0005co\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffd\u000ei\ufffdo\ufffd\u0012N\u0691bk\ufffd\u019e \ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0000\u0010ly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "\ufffd\ufffdWco\ufffdco\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffdi\ufffdo\ufffdN\u0691bk\ufffd\u019e \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Wco\ufffd\u0005co\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffd\u000ei\ufffdo\ufffd\u0012N\u0691bk\ufffd\u019e \ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u0000\u0010ly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdWco\ufffdco\ufffd8\ufffdF\ufffd\ufffd\ufffd\ufffd5\ufffdi\ufffdo\ufffdN\u0691bk\ufffd\u019e \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdly>\ufffd\ufffd\ufffd\ufffd_\ufffdH\ufffdv\ufffd;\ufffd\ufffdA\ufffd\ufffd\ufffd\ufffdV&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8040 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8040 · (sonde / probe) · → /0md2f2w96x38
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET /0md2f2w96x38 UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/0md2f2w96x38
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8040
Chemin / cible
/0md2f2w96x38
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /0md2f2w96x38 HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /0md2f2w96x38 HTTP/1.1
Host: 62.3.50.33:8040
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys
Requête brute (extrait)
GET /0md2f2w96x38 HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f",
"http_target_hash": "bcabd4e959e561d68c827a68fee76dad7b3b537f",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 173,
"payload_entropy": 5.33135709460911,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "007dfe7e38d4c5651f5826b20d71026c115b6fdb",
"event_fingerprint": "28f5263c898e60c69724e6637180008f95b271b1",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "d0d36e1161d54ccb439b8ef965ccaa2d",
"path_pattern_hash": "f1f55072e5df7692da3fba4a331e3d23"
},
"target_context": {
"dst_port": 8040,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys",
"method": "GET",
"path": "\/0md2f2w96x38",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/0md2f2w96x38 HTTP\/1.1",
"request_sample": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys",
"evidence": {
"method": "GET",
"path": "\/0md2f2w96x38",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/0md2f2w96x38 HTTP\/1.1",
"request_sample": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ed56d54a234daf7a11cf755f11697d04cb0d9af6",
"protocol_details": {
"http_method": "GET",
"http_path": "\/0md2f2w96x38",
"request_line": "GET \/0md2f2w96x38 HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys",
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/0md2f2w96x38",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/0md2f2w96x38",
"request_line": "GET \/0md2f2w96x38 HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/0md2f2w96x38",
"evidence_snippet": "GET \/0md2f2w96x38 HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8040:8040 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
��������������FDm � ��ص7/k�[��g��oE�� �y� p����$���� ���/���Z����\�P��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������FDm
� ��ص7/k�[��g��oE��
�y� p����$��������/���Z����\�P��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
��������������FDm � ��ص7/k�[��g��oE�� �y� p����$���� ���/���Z����\�P��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��lk��tBM}�<)Y��̤̱�����*�?���T
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.837237758016652,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a7294fb57e5d1bd7f515642bfb7d775028264167",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7629aaa37a7e9fbe04a0676852590df0",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0015\ufffdFDm\r\ufffd \ufffd\u001a\u06357\/k\ufffd[\ufffd\ufffdg\u0018\ufffdoE\u000e\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\u0003\ufffd$\ufffd\u001c\ufffd\ufffd\f\ufffd\u0016\u0016\/\ufffd\ufffd\u0005Z\u000f\ufffd\u0000\ufffd\\\ufffdP\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0015\ufffdFDm\r\ufffd \ufffd\u001a\u06357\/k\ufffd[\ufffd\ufffdg\u0018\ufffdoE\u000e\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\u0003\ufffd$\ufffd\u001c\ufffd\ufffd\f\ufffd\u0016\u0016\/\ufffd\ufffd\u0005Z\u000f\ufffd\u0000\ufffd\\\ufffdP\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdlk\ufffd\ufffdtBM}\ufffd<)Y\ufffd\ufffd\u0324\u0331\ufffd\ufffd\u001b\ufffd\ufffd*\ufffd?\ufffd\ufffd\ufffdT",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0015\ufffdFDm\r\ufffd \ufffd\u001a\u06357\/k\ufffd[\ufffd\ufffdg\u0018\ufffdoE\u000e\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\u0003\ufffd$\ufffd\u001c\ufffd\ufffd\f\ufffd\u0016\u0016\/\ufffd\ufffd\u0005Z\u000f\ufffd\u0000\ufffd\\\ufffdP\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ffe1e629330bb7fd0bdb2edae7fe5ff26fe3801",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0015\ufffdFDm\r\ufffd \ufffd\u001a\u06357\/k\ufffd[\ufffd\ufffdg\u0018\ufffdoE\u000e\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\u0003\ufffd$\ufffd\u001c\ufffd\ufffd\f\ufffd\u0016\u0016\/\ufffd\ufffd\u0005Z\u000f\ufffd\u0000\ufffd\\\ufffdP\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdFDm\r\ufffd \ufffd\u06357\/k\ufffd[\ufffd\ufffdg\ufffdoE\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdZ\ufffd\ufffd\\\ufffdP\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0015\ufffdFDm\r\ufffd \ufffd\u001a\u06357\/k\ufffd[\ufffd\ufffdg\u0018\ufffdoE\u000e\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\u0003\ufffd$\ufffd\u001c\ufffd\ufffd\f\ufffd\u0016\u0016\/\ufffd\ufffd\u0005Z\u000f\ufffd\u0000\ufffd\\\ufffdP\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdFDm\r\ufffd \ufffd\u06357\/k\ufffd[\ufffd\ufffdg\ufffdoE\ufffd\n\ufffdy\ufffd p\ufffd\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffdZ\ufffd\ufffd\\\ufffdP\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8040 · HTTP
|
http
|
Traversal LFI
lfi path traversal · via HTTP:8040 · (tentative d'exploit) · → /login
|
Élevée
|
Moyen · 47
|
|
Étape
Tentative d'exploit
Chaîne
Exploitation
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0001
TA0001
TA0002
Protocole
GET /login UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/login
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8040
Chemin / cible
/login
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 59%
Confiance classification
67%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 59 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
CRS-930100-sub
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /login HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /login HTTP/1.1
Host: 62.3.50.33:8040
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Requête brute (extrait)
GET /login HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f",
"http_target_hash": "c42c80aa06113268fddf90dfdc871fb7318ff5cf",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 166,
"payload_entropy": 5.188713865292366,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 67.5,
"risk_classification": 78,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 67.5,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "c857a6a34dbdbbc9bf014ac245430fe7b755b55c",
"event_fingerprint": "e4f3fb1d96d493fcff15ac76e240406099c470bc",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 70,
"precision_signals": [
"CRS-930100-sub"
],
"kb_rule_ids": [
"CRS-930100-sub"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"classification_parent": "path_traversal",
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "940af559c67e3563af99a8e1f649e5ba",
"path_pattern_hash": "7e93fba0bc7adda858a2500090e639e4"
},
"target_context": {
"dst_port": 8040,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\n",
"method": "GET",
"path": "\/login",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/login HTTP\/1.1",
"request_sample": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"evidence": {
"method": "GET",
"path": "\/login",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/login HTTP\/1.1",
"request_sample": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"path_traversal",
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7efde30ab8ec71edd0b9ac685048263b720f0496",
"protocol_details": {
"http_method": "GET",
"http_path": "\/login",
"request_line": "GET \/login HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"attack_vector": "lfi path traversal \u00b7 via HTTP:8040 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 47\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 67 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 67.5,
"classification": 78,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"CRS-930100-sub"
],
"tags_summary_labels_fr": [
"CRS-930100-sub"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/login",
"request_line": "GET \/login HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "lfi path traversal \u00b7 via HTTP:8040 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login",
"evidence_snippet": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_probe_login",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8040 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8040 · (sonde / probe) · → /favicon.ico
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /favicon.ico UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/favicon.ico
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8040
Chemin / cible
/favicon.ico
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET /favicon.ico HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /favicon.ico HTTP/1.1
Host: 62.3.50.33:8040
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.
Requête brute (extrait)
GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20696d6167652f782d69636f6e0d0a436f6e74656e742d4c656e6774683a2032320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a0000010001001010000001002000680400001600",
"emulator_response_len": 130,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ico",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f",
"http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 178,
"payload_entropy": 5.143182603910367,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 67.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "007dfe7e38d4c5651f5826b20d71026c115b6fdb",
"event_fingerprint": "9fa8ff5fefab62f49bf6f4a20c0917e75df7e2da",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "bc68646b486894505e298b3da1a813e4",
"path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a"
},
"target_context": {
"dst_port": 8040,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"evidence": {
"method": "GET",
"path": "\/favicon.ico",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/favicon.ico HTTP\/1.1",
"request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b9b574aaddfccddd81b1dedf0560f7db19add5a7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 67.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/favicon.ico",
"request_line": "GET \/favicon.ico HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico",
"evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 67 \u00b7 Bonus corr\u00e9lation +8 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8040 · HTTP
|
http
|
Sonde HTTP
Sonde HTTP · via HTTP:8040 · (sonde / probe) · → *
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
PRI *
Émulateur
HTTP
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
net_web_probe
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
8040
Chemin / cible
*
Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 71%
Confiance classification
79%
Corrélation +8
Risque capteur
Moyen
· 40
Confiance : Confiance 71 % — Score WAF 8
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
PRI * HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 24,
"payload_entropy": 3.66829583405449,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0
},
"risk_score": 40,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "e16689bb35cd8f6d595bbefc4de69d985c00e2ed",
"event_fingerprint": "c58df97b3180e5c2ce4a9f56d8b07fd6a7e42c8d",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bd71964d35f553a9e1d0cddcb5864e08",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"service_name": "http",
"target_context": {
"dst_port": 8040,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"evidence": {
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%"
},
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.79,
"classification_confidence": 0.79,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "89f95e81e656927e757a573512b2f8de0ddbbee8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 71 % \u2014 Score WAF 8",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 71%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 79,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 71 % \u2014 Score WAF 8",
"confidence_factors_fr": "Confiance 79 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua",
"net_web_probe"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8040:8040 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
������������6��J廒�5��D#�)����2��fuT�E�� KR�"���-4���l"��ڒE[��ҥ�G���jb��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������6��J廒�5��D#�)����2��fuT�E�� KR�"���-4���l"��ڒE[��ҥ�G���jb��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������6��J廒�5��D#�)����2��fuT�E�� KR�"���-4���l"��ڒE[��ҥ�G���jb��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��l��(�03��R(3��?�z߂���C��!9f
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.816679594217312,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a7294fb57e5d1bd7f515642bfb7d775028264167",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8364a474366d90c67e7539ed30a29db",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u000fJ\u5ed2\ufffd5\u0001\ufffdD#\ufffd)\b\ufffd\ufffd\ufffd2\ufffd\u0003\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\u001e\ufffd-4\ufffd\ufffd\ufffdl\"\u0007\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\u001c\ufffdjb\u0006\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u000fJ\u5ed2\ufffd5\u0001\ufffdD#\ufffd)\b\ufffd\ufffd\ufffd2\ufffd\u0003\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\u001e\ufffd-4\ufffd\ufffd\ufffdl\"\u0007\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\u001c\ufffdjb\u0006\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdl\u0000\ufffd(\ufffd03\ufffd\u0011R(3\ufffd\ufffd?\ufffdz\u07c2\u0015\u0003\ufffdC\u0000\ufffd!9f",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u000fJ\u5ed2\ufffd5\u0001\ufffdD#\ufffd)\b\ufffd\ufffd\ufffd2\ufffd\u0003\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\u001e\ufffd-4\ufffd\ufffd\ufffdl\"\u0007\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\u001c\ufffdjb\u0006\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5c7fb3b5c1c983faba1198ba7cc8003893e1b633",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u000fJ\u5ed2\ufffd5\u0001\ufffdD#\ufffd)\b\ufffd\ufffd\ufffd2\ufffd\u0003\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\u001e\ufffd-4\ufffd\ufffd\ufffdl\"\u0007\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\u001c\ufffdjb\u0006\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "\ufffd\ufffd\ufffd6\ufffdJ\u5ed2\ufffd5\ufffdD#\ufffd)\ufffd\ufffd\ufffd2\ufffd\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\ufffd-4\ufffd\ufffd\ufffdl\"\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\ufffdjb&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd6\ufffd\u000fJ\u5ed2\ufffd5\u0001\ufffdD#\ufffd)\b\ufffd\ufffd\ufffd2\ufffd\u0003\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\u001e\ufffd-4\ufffd\ufffd\ufffdl\"\u0007\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\u001c\ufffdjb\u0006\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd6\ufffdJ\u5ed2\ufffd5\ufffdD#\ufffd)\ufffd\ufffd\ufffd2\ufffd\u07b7fuT\ufffdE\ufffd\ufffd KR\ufffd\"\ufffd\ufffd-4\ufffd\ufffd\ufffdl\"\ufffd\u0692E[\ufffd\ufffd\u04a5\ufffdG\ufffd\ufffdjb&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8040 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:8040 · (sonde / probe)
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
8040
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8040
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Accep
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.192679203957217,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 75,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 47,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "90a8ef436f4522f9dbf3c66c9ef21079e1e22e91",
"event_fingerprint": "c4bb6209b95de33393a471f90a642c813759bae4",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "2706f0952e238fe3e507d6e0cb53f15c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8040,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fbfa058a03898bb68eb4ebd962b116cd8c026cb0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 47,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 8040,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"target_port_label": "8040 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"http-alt-8040"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner",
"net_web_probe"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
Sonde PostgreSQL
postgres probe · via HTTP ALT 8040:8040 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
���������������h�7��a�#.������߿w����҅���� �=��G;����R��N. �o�ɑ�}�MI|eu���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������h�7��a�#.������߿w����҅���� �=��G;����R��N. �o�ɑ�}�MI|eu���&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
���������������h�7��a�#.������߿w����҅���� �=��G;����R��N. �o�ɑ�}�MI|eu���&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��#��^�<�mg@^Fd���a2�VFݩ�V� k�-
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 243,
"payload_entropy": 5.844330314296383,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "a7294fb57e5d1bd7f515642bfb7d775028264167",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1e12ef59aa23df29a4827545c2772ebb",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u07ffw\ufffd\ufffd\u0013\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffd\u001bG;\ufffd\ufffd\b\ufffdR\u0000\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u07ffw\ufffd\ufffd\u0013\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffd\u001bG;\ufffd\ufffd\b\ufffdR\u0000\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd#\u0004\ufffd^\ufffd<\ufffdmg@^Fd\u0001\ufffd\ufffda2\ufffdVF\u0769\ufffdV\ufffd\tk\ufffd-",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u07ffw\ufffd\ufffd\u0013\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffd\u001bG;\ufffd\ufffd\b\ufffdR\u0000\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1896732243655786edc09bf9945142e28f79864f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u07ffw\ufffd\ufffd\u0013\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffd\u001bG;\ufffd\ufffd\b\ufffdR\u0000\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u07ffw\ufffd\ufffd\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffdG;\ufffd\ufffd\ufffdR\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u0006\u07ffw\ufffd\ufffd\u0013\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffd\u001bG;\ufffd\ufffd\b\ufffdR\u0000\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "postgres probe \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd7\ufffd\ufffda\ufffd#.\ufffd\ufffd\ufffd\ufffd\ufffd\u07ffw\ufffd\ufffd\ufffd\u0485\ufffd\ufffd\ufffd\ufffd \t\ufffd=\ufffdG;\ufffd\ufffd\ufffdR\ufffdN. \ufffdo\ufffd\u0251\ufffd}\ufffdMI|eu\ufffd\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_clienthello"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
http-alt-8040
http-alt-8040 · via HTTP ALT 8040:8040 · (sonde / probe)
|
Moyenne
|
Faible · 24
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
GET / HTTP/1.1 Host: 62.3.50.33:8040
Pourquoi cette classification : Type « http-alt-8040 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 24
Confiance : Confiance 0 % — 1 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8040
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 41,
"payload_entropy": 4.271470906740503,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 16,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 32,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0
},
"risk_score": 24,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "3b1522c9075de61361797cd470d6a36fafad21cc",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e4d7a604d83a8b7065a0043c1a636968",
"path_pattern_hash": "5793dd20d50d0d49b3d5cfd92ee6bab1"
},
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 24
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"classification_reason": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dff46dd6d3263454430b0003d7fb37848417bbfe",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"attack_vector": "http-alt-8040 \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 16,
"behavior": 0,
"geo": 0,
"protocol": 32,
"novelty": 0,
"risk_score": 24
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 24,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "http-alt-8040 \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe"
]
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
http-alt-8040
http-alt-8040 · via HTTP ALT 8040:8040 · (sonde / probe)
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Pourquoi cette classification : Type « http-alt-8040 » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 0
Confiance : Confiance faible (0 %) — classification prudente
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 398722,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "a11ba962f4ed0fdc50f450ebed5c49919244dbfa",
"event_fingerprint": "ce3872fa31b8251521ce92e15f09a1ea7ad32402",
"classification_reason": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "5793dd20d50d0d49b3d5cfd92ee6bab1"
},
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2b1422061e41e80dccaa5530e36f1fe28dcba2ab",
"protocol_details": {
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "http-alt-8040 \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab http-alt-8040 \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 0,
"risk_label": "Faible",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "http-alt-8040 \u00b7 via HTTP ALT 8040:8040 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance faible (0 %) \u2014 classification prudente",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9601
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
33
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/.well-known/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9601
Chemin / cible
/.well-known/security.txt
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "8e628ca9d521f1293a89f73a298400b28c840495",
"http_target_hash": "45c9b9d0d93f4f7ad3de5a5667f00a2d2df4266d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 185,
"payload_entropy": 5.21768333943229,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "ad138900cd385f54fa4f79b01c7a8fd16bbedb5c",
"event_fingerprint": "16619c0ea944e72c5f0744cde03db9af0334e85d",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
9601
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9601
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "8e628ca9d521f1293a89f73a298400b28c840495",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.177992694785788,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "61b8c5a2b5ca9804281695cc1d1de7418c440ade",
"event_fingerprint": "00a6d53da0f9496d034c7405aba32fb54874e9c5",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
9601
|
http
|
http
|
Faible
|
Faible · 14
|
|
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
9601
Chemin / cible
*
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 24,
"payload_entropy": 3.66829583405449,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "29040c5542b4ba888f717aa9c7391d035838916f",
"event_fingerprint": "8f5f9b8bb02703f9b224f5a29bcf0787ad593f2d",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
9601
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
http
|
http
|
Faible
|
Faible · 21
|
|
Étape
—
WAF
3
Recommandation
—
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9601
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "8e628ca9d521f1293a89f73a298400b28c840495",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 154,
"payload_entropy": 5.296177487584139,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 21,
"campaign_key": "ff7419455f3e2c9ab4f1ee31e4e509290dda9ce9",
"event_fingerprint": "788caf1cf03eed6d60138440f3d9a5b4fd980a7b",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
9601
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
9601
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3387
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
27
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/sitemap.xml
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3387
Chemin / cible
/sitemap.xml
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "xml",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "5360a81825ed946876b5b355f042de56730e919a",
"http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 172,
"payload_entropy": 5.201404836305278,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "108cadeda99499e6fc64807a4ad8c2e002ec6e9f",
"event_fingerprint": "d17a5af2c8d09943260415e3981fdfe4fcbe9cc2",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
3387
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3387
|
http
|
http
|
Faible
|
Faible · 14
|
|
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
3387
Chemin / cible
*
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "770277d33020d19713d1fb5bdba3782d1f4cae09",
"event_fingerprint": "12d6f7265d93b4ab5760e7d00f053e11cd402603",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
3387
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3387
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3387
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "5360a81825ed946876b5b355f042de56730e919a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.187370179284713,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e26ad2b9df5304bb450e4051d73311709af56b6e",
"event_fingerprint": "9a8abc45d211c69449be63a68e1b481f5b22dfb3",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
3387
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3387
|
http
|
http
|
Faible
|
Faible · 21
|
|
Étape
—
WAF
3
Recommandation
—
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
3387
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "5360a81825ed946876b5b355f042de56730e919a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 154,
"payload_entropy": 5.259751250737147,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 21,
"campaign_key": "5e9204bfaefbceeb13ebff078e0a2733b72fa1f0",
"event_fingerprint": "99468c9f0dfdd3a01a740e9486824eb0342e55aa",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
3387
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
3387
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|