|
|
TCP |
10260 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:10260 · (sonde / probe) · → /.well-known/security.txt
|
Élevée
|
Moyen · 46
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /.well-known/security.txt UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
33
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950468:nosqli-3
Cible HTTP
GET
/.well-known/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10260
Chemin / cible
/.well-known/security.txt
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 46
Confiance : Confiance 50 % — 5 tag(s) WAF
Signaux
Scanner Censys
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MITRE T1595 active scan
LFI Double-dot bypass
Probe /.well-known/
UA censys
Ligne de requête
GET /.well-known/security.txt HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /.well-known/security.txt HTTP/1.1
Host: 62.3.50.33:10260
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https:/
Requête brute (extrait)
GET /.well-known/security.txt HTTP/1.1 Host: 62.3.50.33:10260 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "dda76608d6c1f2e3c2d8f998a1e357d396f63359",
"http_target_hash": "45c9b9d0d93f4f7ad3de5a5667f00a2d2df4266d",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 186,
"payload_entropy": 5.209700397675881,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 82.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 46,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "537c7b29386d129ba7de0216ee3f874e9cde87a2",
"event_fingerprint": "f98d3ba7a6a6d951b48d1c928128f282c121ecd2",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"confidence": 0.58,
"classification_confidence": 0.58,
"precision_score": 115,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream"
],
"matched_patterns": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"matched_pattern_names": [
"MITRE T1595 active scan",
"LFI Double-dot bypass",
"Probe \/.well-known\/",
"UA censys"
],
"pattern_ids": [
"pat-0806",
"pat-0103",
"pat-0228",
"pat-0431"
],
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 46,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "2cc1156ffe799cc6a086473ae30fd52a",
"path_pattern_hash": "c8b429a17a0f3584726a903b01671348"
},
"target_context": {
"dst_port": 10260,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"evidence": {
"method": "GET",
"path": "\/.well-known\/security.txt",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"request_sample": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d30f86c5d9f25f584ea8db30cc4966a27f35a90f",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"attack_vector": "web scanner \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 46\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 82.5,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 46,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.well-known\/security.txt",
"request_line": "GET \/.well-known\/security.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/.well-known\/security.txt",
"evidence_snippet": "GET \/.well-known\/security.txt HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 82 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
10260 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:10260 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10260
Chemin / cible
—
Service
TLS
Payload
�����������(�l�#��9V�,��M]�� aƱ ��C�~@��l ��b�P�L8�{��G�'/LJؕSQ�5�a��]��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������(�l�#��9V�,��M]��
aƱ���C�~@��l ��b�P�L8�{��G�'/LJؕSQ�5�a��]��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
�����������(�l�#��9V�,��M]�� aƱ ��C�~@��l ��b�P�L8�{��G�'/LJؕSQ�5�a��]��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��[�1)�g���GZt��������,ښa��u� �
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.7851880943538605,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d180979ce1ab4fea0c312fc60cf8b5867deec16e",
"event_fingerprint": "8ccc3f33629ded9b5e521776bb8fbb9cf5fee022",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "dcf5c7a4b8aa822be90a148e077b5ef9",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffdl\ufffd#\u0016\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\f\u0005\ufffdC\ufffd~@\u0012\u0017l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffd\u001eG\u0010'\/LJ\u0615SQ\ufffd5\ufffda\u0003\u001e]\ufffd\u0082\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffdl\ufffd#\u0016\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\f\u0005\ufffdC\ufffd~@\u0012\u0017l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffd\u001eG\u0010'\/LJ\u0615SQ\ufffd5\ufffda\u0003\u001e]\ufffd\u0082\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u000f[\u00161)\ufffdg\ufffd\ufffd\ufffdGZt\ufffd\ufffd\ufffd\ufffd\ufffd\u0003\ufffd\u0006,\u069aa\ufffd\u0004u\ufffd\n\u001c",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffdl\ufffd#\u0016\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\f\u0005\ufffdC\ufffd~@\u0012\u0017l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffd\u001eG\u0010'\/LJ\u0615SQ\ufffd5\ufffda\u0003\u001e]\ufffd\u0082\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "efd5cec44d199eac034ba9747f687eb5047654a8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffdl\ufffd#\u0016\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\f\u0005\ufffdC\ufffd~@\u0012\u0017l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffd\u001eG\u0010'\/LJ\u0615SQ\ufffd5\ufffda\u0003\u001e]\ufffd\u0082\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd(\ufffdl\ufffd#\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\ufffdC\ufffd~@l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffdG'\/LJ\u0615SQ\ufffd5\ufffda]\ufffd\u0082&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003(\ufffdl\ufffd#\u0016\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\f\u0005\ufffdC\ufffd~@\u0012\u0017l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffd\u001eG\u0010'\/LJ\u0615SQ\ufffd5\ufffda\u0003\u001e]\ufffd\u0082\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd(\ufffdl\ufffd#\ufffd9V\ufffd,\ufffd\ufffdM]\ufffd\ufffd\na\u01b1\ufffdC\ufffd~@l \ufffd\ufffdb\ufffdP\ufffdL8\ufffd{\ufffdG'\/LJ\u0615SQ\ufffd5\ufffda]\ufffd\u0082&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10260 · HTTP
|
http
|
Sonde PostgreSQL
postgres probe · via HTTP:10260 · (sonde / probe) · → *
|
Faible
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
PRI *
Émulateur
HTTP
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
10260
Chemin / cible
*
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
PostgreSQL startup
ET H.323 setup
NFS RPC mount
Minecraft varint handshake
Ligne de requête
PRI * HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
�������������������Bh��������
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "2a27d93683670ef72d75a74d19c9eec47182183a",
"event_fingerprint": "9bbe13a98a420bcaf1a16212086937f4917feafe",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"PostgreSQL startup",
"ET H.323 setup",
"NFS RPC mount",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0369",
"pat-0868",
"pat-0532",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe3435fc30fb19e768a81e744ede3fba",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"target_context": {
"dst_port": 10260,
"service": "http",
"service_name": "http",
"risk_score": 35
},
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"evidence": {
"method": "PRI",
"path": "*",
"request_line": "PRI * HTTP\/1.1",
"request_sample": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"payload_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74bc47b162830be513473c73975feb52dd6b13a1",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"attack_vector": "postgres probe \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "PRI",
"http_path": "*",
"request_line": "PRI * HTTP\/1.1",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "postgres probe \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe) \u00b7 \u2192 *",
"evidence_snippet": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\nBh",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
10260 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:10260 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10260
Chemin / cible
—
Service
TLS
Payload
��������������LU�$�s#�q ��V�;��VE0�p �xJ��� �<�i�� ��`˄��e�y�9�6&���4��V5-��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������LU�$�s#�q
��V�;��VE0�p �xJ��� �<�i�� ��`˄��e�y�9�6&���4��V5-��&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
��������������LU�$�s#�q ��V�;��VE0�p �xJ��� �<�i�� ��`˄��e�y�9�6&���4��V5-��&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� �y{p����ГҮ�w��M+�F�u '�Z�&�й�
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.745030466014321,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d180979ce1ab4fea0c312fc60cf8b5867deec16e",
"event_fingerprint": "8ccc3f33629ded9b5e521776bb8fbb9cf5fee022",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "d3cd17ac5d8d823ee8a21bab6775cd39",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0002LU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\u001d\ufffd\ufffd \ufffd<\u0012i\u0004\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd9\u00046&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0002LU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\u001d\ufffd\ufffd \ufffd<\u0012i\u0004\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd9\u00046&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0000y{p\u001e\ufffd\ufffd\u0006\u0413\u04ae\ufffdw\ufffd\ufffdM+\ufffdF\ufffdu\t'\ufffdZ\ufffd&\ufffd\u0439\u0002",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0002LU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\u001d\ufffd\ufffd \ufffd<\u0012i\u0004\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd9\u00046&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1f7a95e2c7b7a9dee4df539f764ce4e7689a27b8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0002LU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\u001d\ufffd\ufffd \ufffd<\u0012i\u0004\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd9\u00046&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdLU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\ufffd\ufffd \ufffd<i\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd96&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\u0002LU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\u001d\ufffd\ufffd \ufffd<\u0012i\u0004\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd9\u00046&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdLU\ufffd$\ufffds#\ufffdq\n\ufffd\ufffdV\ufffd;\ufffd\ufffdVE0\ufffdp \ufffdxJ\ufffd\ufffd \ufffd<i\ufffd\t\ufffd\ufffd`\u02c4\ufffd\ufffde\ufffdy\ufffd96&\ufffd\ufffd\ufffd4\ufffd\ufffdV5-\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10260 · HTTP
|
http
|
Scanner web
web scanner · via HTTP:10260 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.cens…
Émulateur
HTTP
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10260
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Corrélation +8
Risque capteur
Moyen
· 48
Confiance : Confiance 100 % — 5 tag(s) WAF
Signaux
Scanner Censys
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA censys
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
lfi-14
rce-0
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10260
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Acce
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10260 User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/) Accept: */* Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "dda76608d6c1f2e3c2d8f998a1e357d396f63359",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 162,
"payload_entropy": 5.167838237367476,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 75,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.9,
"risk_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 48,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "1224def5b04d2c1fd120c222c27d527cc4593466",
"event_fingerprint": "3dfbb2f635f51b328ebce687d580d39614bb6502",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 145,
"precision_signals": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0431"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA censys"
],
"pattern_ids": [
"pat-0103",
"pat-0431"
],
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 48,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "360f2d3279959df44748b20b258261e1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10260,
"service": "http",
"service_name": "http",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"waf_tags": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccept: *\/*\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "367360135bc319b6089f177c7f08cb3ee2e5ad46",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"attack_vector": "web scanner \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 75,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25,
"risk_score": 48,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-censys",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Censys",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAcce",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 75 \u00b7 Bonus corr\u00e9lation +8 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
10260 · HTTP
|
http
|
Sonde HTTP
Sonde HTTP · via HTTP:10260 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET /
Émulateur
HTTP
WAF
8
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
951040:websocket-anomaly
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10260
Chemin / cible
/
Pourquoi cette classification : Sonde HTTP (tag sap-sapcontrol-path) · confiance 74%
Confiance classification
82%
Corrélation +8
Risque capteur
Moyen
· 40
Confiance : Confiance 74 % — Score WAF 40 · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
websocket-anomaly
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10260
Connection: Upgrade
Sec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==
Sec-WebSocket-Version:
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10260 Connection: Upgrade Sec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg== Sec-WebSocket-Version: 13 Upgrade: websocket
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "dda76608d6c1f2e3c2d8f998a1e357d396f63359",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 155,
"payload_entropy": 5.2723617396502656,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 40,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bbf5ad32c52b4422d4c34f8391b7205c381d4fb3",
"event_fingerprint": "60ee66e9490c3890e08c64254739735cddd059ed",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "585cfba220d54525056767be3337087d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"service_name": "http",
"target_context": {
"dst_port": 10260,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version:",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"websocket-anomaly"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version:",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"websocket-anomaly"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version: 13\r\nUpgrade: websocket\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version:",
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%"
},
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"confidence_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.82,
"classification_confidence": 0.82,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5c58e569b06efd46fd64c51d1adbcb111bd6c1fb",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version:",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"classification_reason_label_fr": "Sonde HTTP (tag sap-sapcontrol-path) \u00b7 confiance 74%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 82,
"confidence_breakdown": {
"waf": 40,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15,
"risk_score": 40,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 10260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10260\r\nConnection: Upgrade\r\nSec-WebSocket-Key: z1K98bh3osBzRTIBQy81dg==\r\nSec-WebSocket-Version:",
"target_port_label": "10260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 40 \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 82 % \u2014 Score WAF 40 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly",
"http_no_ua"
]
}
|
|
|
TCP |
10260 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:10260 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 35fa0a83e466acbe
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10260
Chemin / cible
—
Service
TLS
Payload
������������bS��MN�.�`�'T�/��������!�L���� ��� f�o�O��N�Yq��cV�L!]��i�R�{�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{��������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������bS��MN�.�`�'T�/��������!�L���� ����f�o�O��N�Yq��cV�L!]��i�R�{�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Requête brute (extrait)
������������bS��MN�.�`�'T�/��������!�L���� ��� f�o�O��N�Yq��cV�L!]��i�R�{�&̨̩�/�0�+�,��� ��� �����/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� my�z�c� �=�rp-p#��[� u-[���eV�
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.857430179899447,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "d180979ce1ab4fea0c312fc60cf8b5867deec16e",
"event_fingerprint": "8ccc3f33629ded9b5e521776bb8fbb9cf5fee022",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "e1d7f6e3286d0a921a69e497d62f77d8",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10260,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\u0018\u0005\u000e\ufffd\ufffd\ufffd\u000f!\ufffdL\ufffd\u000e\ufffd\ufffd \ufffd\ufffd\ufffd\ff\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\u0018\u0005\u000e\ufffd\ufffd\ufffd\u000f!\ufffdL\ufffd\u000e\ufffd\ufffd \ufffd\ufffd\ufffd\ff\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 my\ufffdz\u0014c\u0000\t\ufffd=\ufffdrp-p#\ufffd\ufffd[\ufffd\u000bu-[\u0002\ufffd\ufffdeV\u000e",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\u0018\u0005\u000e\ufffd\ufffd\ufffd\u000f!\ufffdL\ufffd\u000e\ufffd\ufffd \ufffd\ufffd\ufffd\ff\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b398d4d9da2962d2f9c9bc1264d91f14b4bb4181",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\u0018\u0005\u000e\ufffd\ufffd\ufffd\u000f!\ufffdL\ufffd\u000e\ufffd\ufffd \ufffd\ufffd\ufffd\ff\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\ufffd\ufffd\ufffd!\ufffdL\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdf\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\u0018\u0005\u000e\ufffd\ufffd\ufffd\u000f!\ufffdL\ufffd\u000e\ufffd\ufffd \ufffd\ufffd\ufffd\ff\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffdbS\ufffd\ufffdMN\ufffd.\ufffd`\ufffd'T\ufffd\/\ufffd\ufffd\ufffd\ufffd!\ufffdL\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdf\ufffdo\ufffdO\ufffd\ufffdN\ufffdYq\ufffd\ufffdcV\ufffdL!]\ufffd\ufffdi\ufffdR\ufffd{&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{",
"target_port_label": "10260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:10260",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10260
|
—
|
Sonde port
Sonde port · port 10260 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10260
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Censys, Inc.",
"service": null,
"app_proto": null,
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b6711235d1fd173ca3e7716b956dd3893d17241",
"event_fingerprint": "2346859c9af362fcfeac13e327aaa6545725218c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10260,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e464fb6177416b409652044503890e5cf62cbd9f",
"protocol_details": {
"port": 10260
},
"attack_vector": "Sonde port \u00b7 port 10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 10260
},
"attack_vector": "Sonde port \u00b7 port 10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "10260",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
10260
|
—
|
Sonde port
Sonde port · port 10260 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10260
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
KDT_PLC_M
Meta JSON brut
{
"bytes_in": 9,
"payload_entropy": 2.94770277922009,
"port_category": "registered",
"org": "Censys, Inc.",
"service": null,
"app_proto": null,
"asn": 398722,
"country": "US",
"dst_port": 10260,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b6711235d1fd173ca3e7716b956dd3893d17241",
"event_fingerprint": "2346859c9af362fcfeac13e327aaa6545725218c",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7aa6962ed1151e62be24a45eb2f91d20",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10260,
"risk_score": 44
},
"payload_preview": "KDT_PLC_M",
"request_sample": "KDT_PLC_M",
"payload_snippet": "KDT_PLC_M",
"evidence": {
"request_sample": "KDT_PLC_M",
"payload_snippet": "KDT_PLC_M",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e489e9b566dd98d898ad32600227d23fc8734c6",
"protocol_details": {
"payload_preview": "KDT_PLC_M",
"port": 10260
},
"evidence_snippet": "KDT_PLC_M",
"attack_vector": "Sonde port \u00b7 port 10260 \u00b7 (sonde \/ probe)",
"target_port_label": "10260",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 10260,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "KDT_PLC_M",
"port": 10260
},
"attack_vector": "Sonde port \u00b7 port 10260 \u00b7 (sonde \/ probe)",
"evidence_snippet": "KDT_PLC_M",
"target_port_label": "10260",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
587 · SMTP SUBMISSION
|
smtp-submission
|
Sonde SMTP
smtp probe · via SMTP SUBMISSION:587 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMTP-SUBMISSION
WAF
—
Recommandation
Investiguer
Tags
net_smtp_probe
smtp_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
587
Chemin / cible
—
Service
SMTP SUBMISSION
Payload
EHLO www.censys.io
Pourquoi cette classification : Type « smtp_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0401
pat-0629
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SMTP EHLO
UA censys
SMTPS EHLO
User-Agent
—
Règles WAF
—
Payload (extrait)
EHLO www.censys.io
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "323230206d61696c2e6578616d706c652e636f6d2045534d545020506f737466697820285562756e7475290d0a3235302d6d61696c2e6578616d706c652e636f6d0d0a3235302d53495a452035323432383830300d0a3235302048454c500d0a",
"emulator_response_len": 96,
"bytes_in": 20,
"payload_entropy": 3.884183719779189,
"port_category": "well_known",
"org": "Censys, Inc.",
"service": "smtp-submission",
"app_proto": "smtp-submission",
"asn": 398722,
"country": "US",
"dst_port": 587,
"risk_waf": 8,
"risk_classification": 47,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 47,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 50,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "d1de7b843f95d34fe925c9d406cfb487fb4114a5",
"event_fingerprint": "a4eb3bdaea671903d3ce718aa560d7f3c055f5fb",
"classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 129,
"precision_signals": [
"pat-0401",
"pat-0629",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0401",
"pat-0629",
"INT-upstream"
],
"matched_patterns": [
"pat-0401",
"pat-0431",
"pat-0629"
],
"matched_pattern_names": [
"SMTP EHLO",
"UA censys",
"SMTPS EHLO"
],
"pattern_ids": [
"pat-0401",
"pat-0431",
"pat-0629"
],
"confidence_breakdown": {
"waf": 8,
"classification": 47,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "smtp-submission",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2bf888e2e3083009e39a0dfae72120e9",
"path_pattern_hash": "0585f924ca84c34a681a0e1500b9f97a"
},
"target_context": {
"dst_port": 587,
"service": "smtp-submission",
"service_name": "smtp-submission",
"risk_score": 50
},
"payload_preview": "EHLO www.censys.io\r\n",
"request_sample": "EHLO www.censys.io\r\n",
"payload_snippet": "EHLO www.censys.io",
"evidence": {
"request_sample": "EHLO www.censys.io\r\n",
"payload_snippet": "EHLO www.censys.io",
"classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0fb21622d1ed41ffc515e890ae2746be441e3933",
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "EHLO www.censys.io",
"port": 587,
"service": "smtp-submission",
"service_label_fr": "SMTP SUBMISSION"
},
"evidence_snippet": "EHLO www.censys.io",
"attack_vector": "smtp probe \u00b7 via SMTP SUBMISSION:587 \u00b7 (sonde \/ probe)",
"target_port_label": "587 \u00b7 SMTP SUBMISSION",
"emulator_service": "smtp-submission",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab smtp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via SMTP SUBMISSION",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 47,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "smtp-submission",
"service_label_fr": "SMTP SUBMISSION",
"dst_port": 587,
"protocol_emulated": true,
"tags_summary": [
"pat-0401",
"pat-0629",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0401",
"pat-0629",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smtp-submission",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"smtp_auth_fr": "Sonde protocole SMTP",
"payload_preview": "EHLO www.censys.io",
"port": 587,
"service": "smtp-submission",
"service_label_fr": "SMTP SUBMISSION"
},
"attack_vector": "smtp probe \u00b7 via SMTP SUBMISSION:587 \u00b7 (sonde \/ probe)",
"evidence_snippet": "EHLO www.censys.io",
"target_port_label": "587 \u00b7 SMTP SUBMISSION",
"emulator_service": "smtp-submission",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smtp_submission",
"service_banner": "honeypot-smtp-submission",
"service_os": "linux",
"dst_port": "587"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_smtp_probe",
"smtp_emulated"
]
}
|
|
|
TCP |
2082
|
http
|
Scanner web
|
Élevée
|
Faible · 38
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
27
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/login
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/login
Confiance classification
98%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Payload (extrait)
GET /login HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "c42c80aa06113268fddf90dfdc871fb7318ff5cf",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 166,
"payload_entropy": 5.179618835145818,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 67.5,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 67.5,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 38,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "133f081ef6e72c9f026895a4b44a99dd2a76e6e5",
"event_fingerprint": "e1b7454dbcbc7c84813b8a5a4a41ab19fd34026d",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "a067ad683780964d786513a02f2bc84b",
"path_pattern_hash": "7e93fba0bc7adda858a2500090e639e4"
},
"target_context": {
"dst_port": 2082,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"confidence": 0.98,
"classification_confidence": 0.98,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/login HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\n",
"event_signature": "cf4aba3978d6477239ddafb8bd55a368b90c7966",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_probe_login",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
2082
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������2��L�.��V;�,���\����9��%�NXQυm� }>&���Y[�Y+����i��0��ܴ`���h�G�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.840170004912552,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 19,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b51ea3bdfc9aa156ac0bc6edcfa4285bcb1e6b02",
"event_fingerprint": "ccab3754dc33fe36c3026ffbb7c6dcbc3fe3dfac",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "8c5c7c8b5557300de73cc63ad8a00c2e",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2082,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00032\ufffd\ufffdL\ufffd.\ufffd\ufffdV;\u0016,\ufffd\u001f\ufffd\\\ufffd\ufffd\ufffd\u000b9\ufffd\ufffd%\ufffdNXQ\u03c5m\u0001 }>&\ufffd\u0001\ufffdY[\ufffdY+\ufffd\ufffd\ufffd\u001fi\ufffd\u00000\ufffd\ufffd\u0734\uff40\ufffd\u0003\ufffdh\ufffdG\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "4ddc6c57a734dce42da10a7fd284752606814e5a",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2082
|
http
|
Scanner web
|
Élevée
|
Moyen · 41
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
30
Recommandation
Surveiller
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/
Confiance classification
98%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
User-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Accep
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.183301719458293,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 75,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 75,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 25
},
"risk_score": 41,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "26e06db8c0f171667a4cd9bc429fcea94abc5b46",
"event_fingerprint": "599c0f1c4d7c64d6bc8183d5c7b712a0254b9c6c",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "32e8fb3a921e31a4753da44965548f23",
"payload_hash": "61e53288a1abf9d938dd66138d62bb85",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2082,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"confidence": 0.98,
"classification_confidence": 0.98,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nUser-Agent: Mozilla\/5.0 (compatible; CensysInspect\/1.1; +https:\/\/about.censys.io\/)\r\nAccep",
"event_signature": "a73491c225c88f7371794a1a9e20d970883f11de",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
]
}
|
|
|
TCP |
2082
|
http
|
http
|
Faible
|
Faible · 7
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
0
Recommandation
Surveiller
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
2082
Chemin / cible
*
Confiance classification
58%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Payload (extrait)
PRI * HTTP/2.0
SM
�������������������Bh��������
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 8,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.1,
"risk_breakdown": {
"waf": 8,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 7,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "fb9dbea486dd79fdeef62e65adeb13bd08d84d9b",
"event_fingerprint": "dba8b3d75d44ec4070e6d7bfa8410529d61c841e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe3435fc30fb19e768a81e744ede3fba",
"path_pattern_hash": "684888c0ebb17f374298b65ee2807526"
},
"target_context": {
"dst_port": 2082,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"confidence": 0.58,
"classification_confidence": 0.58,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "PRI * HTTP\/2.0\r\n\r\nSM\r\n\r\n\u0000\u0000\u0018\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0004\u0000\u0000Bh\u0000\u0006\u0000\u0004\u0000\u0000\u0000\u0003\u0000\u0000\u0000\n",
"event_signature": "74c6b9286929dd9652bb68ef7e145abdd8436a4f",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
2082
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������8�3)�p��h���&����n��)��찢y9�D� �*����(�9��]*�R�a�����~���m8�L"2�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.820847106335199,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 19,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b51ea3bdfc9aa156ac0bc6edcfa4285bcb1e6b02",
"event_fingerprint": "ccab3754dc33fe36c3026ffbb7c6dcbc3fe3dfac",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "e3f185795c347b031b67e5c35a5c284e",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2082,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00038\ufffd3)\ufffdp\ufffd\ufffdh\ufffd\ufffd\ufffd&\ufffd\ufffd\f\ufffdn\u0017\ufffd)\ufffd\ufffd\ucc22y9\ufffdD\ufffd \ufffd*\u001a\ufffd\ufffd\ufffd(\ufffd9\u001f\u0000]*\ufffdR\ufffda\ufffd\ufffd\ufffd\u0016\ufffd~\u001a\ufffd\ufffdm8\ufffdL\"2\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "800857b2ca1e851ed0bfc7308b773199ca948a02",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2082
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
8
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
951040:websocket-anomaly
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2082
Chemin / cible
/
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
951040:websocket-anomaly
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2082
Connection: Upgrade
Sec-WebSocket-Key: uoZmBF7a7XOnWgxoW/s50w==
Sec-WebSocket-Version:
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "4319c7ade0bba7afb97efbb687810dc600e3e05b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 154,
"payload_entropy": 5.296804718024859,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 40,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 40,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 24,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "615c6c06ae0b5f42547890d694cf6177573be9ad",
"event_fingerprint": "cf81aea3b0d86a9027cad10397f064dfc3e1ed5e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8f6c48935cd0ab1b0073651753d62dc1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2082,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2082\r\nConnection: Upgrade\r\nSec-WebSocket-Key: uoZmBF7a7XOnWgxoW\/s50w==\r\nSec-WebSocket-Version: ",
"event_signature": "0f0efc5a9f06b4d9e29c750d84edfb63f1120933",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"951040:websocket-anomaly",
"http_no_ua"
]
}
|
|
|
TCP |
2082
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 19
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������b��N�nį�
�^���{����*����� 8�������@-�q��ۛ���N1�b�����n!�&̨̩�/�0�+�,��� ���
�����/�5���
���������{�����
Meta JSON brut
{
"tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.72112920358076,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "tls",
"app_proto": "tls",
"asn": 398722,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 19,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b51ea3bdfc9aa156ac0bc6edcfa4285bcb1e6b02",
"event_fingerprint": "ccab3754dc33fe36c3026ffbb7c6dcbc3fe3dfac",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 398722,
"org": "Censys, Inc.",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "35fa0a83e466acbec1cfbb9016d550ab",
"payload_hash": "d54c66da8b806117bda83ab404d9065c",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2082,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0003\ufffd\ufffdb\u0014\ufffdN\ufffd\u07b9n\u012f\ufffd\r\ufffd^\u0010\ufffd\ufffd{\ufffd\u0014\ufffd\ufffd*\ufffd\ufffd\ufffd\ufffd\u001d 8\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd@-\ufffdq\u0016\ufffd\u06db\ufffd\u0013\ufffdN1\u0014b\u0019\ufffd\ufffd\u05ce\u001d\ufffdn!\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "45ff9780e1087b7fc4814fa00170e616a3061bca",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2082
|
—
|
Sonde port
|
Faible
|
Faible · 11
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
27
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/login
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20256
Chemin / cible
/login
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "7336ce62bd6de08d4f08b6054d34cae87ad35ece",
"http_target_hash": "c42c80aa06113268fddf90dfdc871fb7318ff5cf",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 167,
"payload_entropy": 5.172957547135445,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "8e7afff6df80a437b665304b975e5f40513df873",
"event_fingerprint": "e3a19774b5d8f0262fd5ecbb973ba490d7fb4df1",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_probe_login"
]
}
|
|
|
TCP |
20256
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
http
|
http
|
Faible
|
Faible · 14
|
|
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
20256
Chemin / cible
*
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "15b7d57cb5ec669143a3ea5395936785a9e2491f",
"event_fingerprint": "7c45c1b8e88b500bda0a77697932d12485ad2fe2",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
20256
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20256
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "7336ce62bd6de08d4f08b6054d34cae87ad35ece",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 162,
"payload_entropy": 5.176140570502948,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "d4978cc474046c7ed7a446a64de4aaa34e4a0e05",
"event_fingerprint": "bf80b2ee2fc3556c3ceea840b40f7dd565716c2f",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
20256
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
http
|
http
|
Faible
|
Faible · 16
|
|
Étape
—
WAF
3
Recommandation
—
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
20256
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 1,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "7336ce62bd6de08d4f08b6054d34cae87ad35ece",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 42,
"payload_entropy": 4.189238255803027,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 16,
"campaign_key": "93841ad784826660d7a1ef7390c4c02030499fec",
"event_fingerprint": "11ddb5cfd13ffd3ca9f183fba30b0cab70359c36",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
20256
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
20256
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
27
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/login
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5671
Chemin / cible
/login
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "ff7b10cb10f677aff1c9ec3f998dc129e27cfaeb",
"http_target_hash": "c42c80aa06113268fddf90dfdc871fb7318ff5cf",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 166,
"payload_entropy": 5.174469720855015,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "1651de1695f0cd353ed0039e62978072bc52bfa5",
"event_fingerprint": "1cf4662472ec7cf04fb7f65238694543eaa75069",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_probe_login"
]
}
|
|
|
TCP |
5671
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5671
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "ff7b10cb10f677aff1c9ec3f998dc129e27cfaeb",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 161,
"payload_entropy": 5.177992694785788,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "4bd605ca2edd1347d3b0f55f1d6a7ebaa618f51b",
"event_fingerprint": "6970dbacb278d5d5cf3a9a0583bc67a4c6e7a8a7",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
5671
|
http
|
http
|
Faible
|
Faible · 14
|
|
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
5671
Chemin / cible
*
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "ce6dca1ac6b3ae3c847bc4f06e165d40e037f4c1",
"event_fingerprint": "74ee18794c02723cb1ac3574ea79aab179f5ef3c",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
5671
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
11
Recommandation
—
Tags
950318:lfi-14
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5671
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950318:lfi-14
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "ff7b10cb10f677aff1c9ec3f998dc129e27cfaeb",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 154,
"payload_entropy": 5.30223326723662,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 3,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e2c56737673f9e912d2d6a406431ef3aa6b769a2",
"event_fingerprint": "6970dbacb278d5d5cf3a9a0583bc67a4c6e7a8a7",
"tags_list": [
"950318:lfi-14",
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
5671
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5671
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
27
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/security.txt
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18246
Chemin / cible
/security.txt
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "txt",
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "89e22092ef102e5e1dd0c6d6454d5657b9e9832c",
"http_target_hash": "35388aa39f105600011ad0e7ab2a90933c84d4f3",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 174,
"payload_entropy": 5.206573075771555,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "24623262db3f233d9e87c9fa495dd82ff16fc342",
"event_fingerprint": "5d6be804238f2b713a19928118b8a34701ba494f",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
]
}
|
|
|
TCP |
18246
|
http
|
web attack
|
Élevée
|
Critique · 100
|
|
Étape
—
WAF
30
Recommandation
—
Tags
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18246
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)
Règles WAF
950318:lfi-14
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 4,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5f5db91a9e2e02c1396d851db979a6f7b4d4b364",
"http_host_hash": "89e22092ef102e5e1dd0c6d6454d5657b9e9832c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 162,
"payload_entropy": 5.204875274404513,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 5,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "47c9a6344431ca6bc8c7f56fecc6a7837bf7e681",
"event_fingerprint": "c26f2925b0324daf339dd5dbd71c872e6e0dc062",
"tags_list": [
"950318:lfi-14",
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|
|
|
TCP |
18246
|
http
|
http
|
Faible
|
Faible · 14
|
|
Étape
—
WAF
0
Recommandation
—
Tags
http_no_ua
Cible HTTP
PRI
*
TLS SNI
—
Capteur
paris-1
|
Méthode
PRI
Port
18246
Chemin / cible
*
Ligne de requête
PRI / HTTP/1.1
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61",
"http_referer_hash": null,
"http_method": "PRI",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 57,
"payload_entropy": 3.474882067394362,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 1,
"anomaly_count": 0,
"risk_score": 14,
"campaign_key": "b8ffcc6b212cb51375aa3b4a5e27b8de2451caa5",
"event_fingerprint": "23978413065129e7fc32b13cb16dfd1a9195401e",
"tags_list": [
"http_no_ua"
]
}
|
|
|
TCP |
18246
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
http
|
http
|
Faible
|
Faible · 21
|
|
Étape
—
WAF
3
Recommandation
—
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
18246
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "89e22092ef102e5e1dd0c6d6454d5657b9e9832c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 155,
"payload_entropy": 5.250528978455079,
"port_category": "registered",
"org": "Censys, Inc.",
"service": "http",
"app_proto": "http",
"asn": 398722,
"country": "US",
"tag_count": 2,
"anomaly_count": 0,
"risk_score": 21,
"campaign_key": "7e561cb1bacdab710f9cb0a89fb78e1ffa7e71d5",
"event_fingerprint": "2c0f873c46672b5dee53457e4216c4e7259189f5",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
18246
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
18246
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|