{"ip":"2.57.17.40","exported_at":"2026-07-19T14:45:33+00:00","period_days":30,"metrics":{"events7d":25,"distinct_ports":24,"distinct_classifications":4,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":37,"max_risk_score":64,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal"],"recommended_action":"investigate","confidence":0.59,"risk_breakdown":{"waf":100,"classification":78,"behavior":0,"geo":0,"protocol":25,"novelty":25},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":29,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":78,"behavior":0,"geo":0,"protocol":25,"novelty":25,"risk_score":56},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":59,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["CRS-930100-sub"],"tags_summary":["CRS-930100-sub"],"attack_vector":"lfi path traversal \u00b7 via HTTP:9711 \u00b7 (tentative d\u0027exploit)","protocol_details":{"http_method":"GET","http_path":"\/","request_line":"GET \/ HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","port":9711,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/ \u00b7 UA Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https\u2026 \u00b7 HTTP:9711","evidence_snippet":"GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne","target_port_label":"9711 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 59 % \u2014 5 tag(s) WAF","classification_reason":"Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%","classification_reason_label_fr":"Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%","confidence_factors_fr":"Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF","payload_preview":"GET \/ HTTP\/1.1\r\nHost: 192.0.2.1\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept: *\/*\r\nConne"},"events":[{"id":12829558,"ip":"2.57.17.40","ts":"2026-07-19 03:08:20.000000","proto":"tcp","src_port":26086,"dst_port":9711,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e7ac7ecd794e71914a63e2cbdca798fceb5afd12\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.097605644356062, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 9711, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a4db34df2deef81e634389e593924b8eae7ca7af\u0022, \u0022event_fingerprint\u0022: \u0022b57cfd10e61adb815c9e1b4ac751e4b024e5187e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022973598b044a4648e3c3fc5667c0c8ce9\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9711, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bc3e0686c7adf889c0d622640711dd394880ff7a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9711, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9711 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229711 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9711, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9711, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9711 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022target_port_label\u0022: \u00229711 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229711\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"192.0.2.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":144},{"id":12819267,"ip":"2.57.17.40","ts":"2026-07-19 00:18:50.000000","proto":"tcp","src_port":1974,"dst_port":7150,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022dcea587be46f78765edf02b6ed1e172b5418c612\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 184, \u0022payload_entropy\u0022: 5.173437365317213, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 7150, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223d7d5795758b55ad9b598c83cc16fd71f4c68c1c\u0022, \u0022event_fingerprint\u0022: \u00220647296a4aca758deed6ce98b31c8792f26cbe68\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00221605d23b58947fcf74aedb75b58dd688\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7150, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223393931e797878bb29ca90cbbf6baea77f43b13f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 7150, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7150 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00227150 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7150, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 7150, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7150 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022target_port_label\u0022: \u00227150 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227150\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7150","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":184},{"id":12812707,"ip":"2.57.17.40","ts":"2026-07-18 22:25:17.000000","proto":"tcp","src_port":11038,"dst_port":6501,"service":"http","classification":"lfi_path_traversal","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022b1df64c4d99090beb433df84fa7e3fdf98b8a9b9\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 447, \u0022payload_entropy\u0022: 5.196421428477847, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 6501, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002241711faee1008724dea2cb298c2080412eb384f9\u0022, \u0022event_fingerprint\u0022: \u0022173912e34a13398e4d872a6b0d2547c90eba2c09\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00227aa8bdc1c897958a55daee2ebf1518eb\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d10ce30a7f426573b0d9160cb7a7506ab1613b21\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:6501 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6501, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 6501, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:6501 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6501\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022target_port_label\u0022: \u00226501 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226501\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6501","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":447},{"id":12798275,"ip":"2.57.17.40","ts":"2026-07-18 17:56:21.000000","proto":"tcp","src_port":27229,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220bc29430209a1501e4a4048f59725d53efecdcd6\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292905bc731f5997d91db958dfa59f6c569432dbe\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":12688614,"ip":"2.57.17.40","ts":"2026-07-17 20:20:36.000000","proto":"tcp","src_port":11532,"dst_port":9068,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022f1b75c838e54186abaf2cfa27560702a02273ea2\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.206419253236291, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 9068, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226a201d5d12b1266796e88cab5254c703d6e70276\u0022, \u0022event_fingerprint\u0022: \u0022b5338aa671c06cf09c17b5de6ae2c8a7ff1210bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022d3f9a119edfe572502c5deeff9c6b02c\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9068, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d8b2ddb834e8499a3036f93b6b7446be1ffde4f8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9068, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9068 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229068 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9068, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9068, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9068 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:9068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00229068 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229068\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9068","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":173},{"id":12672013,"ip":"2.57.17.40","ts":"2026-07-17 16:14:36.000000","proto":"tcp","src_port":44002,"dst_port":110,"service":"pop3","classification":"port_110_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00222b4f4b20504f503320686f6e6579706f742072656164790d0a\u0022, \u0022emulator_response_len\u0022: 25, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022pop3\u0022, \u0022app_proto\u0022: \u0022pop3\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 110, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220bc29430209a1501e4a4048f59725d53efecdcd6\u0022, \u0022event_fingerprint\u0022: \u00228d5f083aa812a6762c3b48b8375cd32260924478\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.65, \u0022classification_confidence\u0022: 0.65, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022pop3_probe\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022dc4164b66ff59a3b1d171afce3368aeb\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292905bc731f5997d91db958dfa59f6c569432dbe\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_110_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 65, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022, \u0022dst_port\u0022: 110, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022pop3_auth_fr\u0022: \u0022Sonde protocole POP3 (USER\/PASS)\u0022, \u0022port\u0022: 110, \u0022service\u0022: \u0022pop3\u0022, \u0022service_label_fr\u0022: \u0022POP3\u0022}, \u0022attack_vector\u0022: \u0022port 110 tcp \u00b7 via POP3:110 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u0022110 \u00b7 POP3\u0022, \u0022emulator_service\u0022: \u0022pop3\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 65 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022pop3\u0022, \u0022service_banner\u0022: \u0022honeypot-pop3\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022110\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_pop3_probe\u0022, \u0022pop3_emulated\u0022]","anomalies":"[]","severity":3,"bytes_in":0},{"id":12667093,"ip":"2.57.17.40","ts":"2026-07-17 14:51:24.000000","proto":"tcp","src_port":31591,"dst_port":6095,"service":null,"classification":"port_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: null, \u0022app_proto\u0022: null, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 6095, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 48.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 0.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225d9989cf90c47b37c8b3e41f43dac0b6a9b4bb55\u0022, \u0022event_fingerprint\u0022: \u00221b367fbe1bd0c288afed78d651370b09ff156243\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u002249ebffbc8eed300cf9429db1ba4cf66d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6095, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c6e01ccf89dbdcf3d0711821c3d1e8cad4675c6e\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 6095}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 6095 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00226095\u0022, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 44\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 48.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 0.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 44}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 44, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: null, \u0022service_label_fr\u0022: null, \u0022dst_port\u0022: 6095, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022INT-FP-port-probe-noise\u0022, \u0022INT-single-port\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Fp Port Probe Noise\u0022, \u0022Single Port\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 6095}, \u0022attack_vector\u0022: \u0022Sonde port \u00b7 port 6095 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00226095\u0022, \u0022emulator_service\u0022: null, \u0022confidence_reason\u0022: \u0022Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022generic\u0022, \u0022service_banner\u0022: \u0022honeypot\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226095\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":12665316,"ip":"2.57.17.40","ts":"2026-07-17 14:26:44.000000","proto":"tcp","src_port":65375,"dst_port":1900,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e7ac7ecd794e71914a63e2cbdca798fceb5afd12\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.097605644356062, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 1900, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a2e43d8acac643a4205dac9d9f5daf1dbbb35e4a\u0022, \u0022event_fingerprint\u0022: \u002291df8c1fbe7fd3a83b97a141bcd8fa56ab8a1e1b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022973598b044a4648e3c3fc5667c0c8ce9\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1900, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a43ff61b073fe5b836102234a629db41f1fccd80\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1900, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1900 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221900 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1900, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1900, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1900 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022target_port_label\u0022: \u00221900 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221900\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"192.0.2.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":144},{"id":12654303,"ip":"2.57.17.40","ts":"2026-07-17 10:54:25.000000","proto":"tcp","src_port":4614,"dst_port":17765,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00225ac148227317836d131ef809ada08db1391d44e9\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.213702618478467, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 17765, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220680ac5ed40f61704ad3c96b97ad99fa6e6ffa7e\u0022, \u0022event_fingerprint\u0022: \u0022fc2ec0add4c09812121d848f514526c362c972b9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00223d8ef79c2d0414543740a448c3601233\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 17765, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022105a46e85ac09e20ef06001b79b2403db20b033b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17765, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:17765 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002217765 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 60, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 17765, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17765, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:17765 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17765\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002217765 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002217765\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:17765","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12653975,"ip":"2.57.17.40","ts":"2026-07-17 10:46:55.000000","proto":"tcp","src_port":3476,"dst_port":17872,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00229ab9b8adc73c2a1e0347e545dfc323258128d417\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.219541730118524, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 17872, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022358c0940857d03cbc1a7c8d08e770006dccc7224\u0022, \u0022event_fingerprint\u0022: \u002227f665627e3aa40725ec9d9f179f472cd02e2c2d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00223425869e9fc3c7cf74fa06dbfec1fd6d\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 17872, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022197bbcd1e20aab9b99e6e9eaf6303ba08a3cf41f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17872, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:17872 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002217872 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 17872, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17872, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:17872 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:17872\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002217872 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002217872\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:17872","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12611075,"ip":"2.57.17.40","ts":"2026-07-17 01:28:25.000000","proto":"tcp","src_port":9474,"dst_port":25963,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022706459636e04197e2791d6b528872bbb0c8d0a78\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.16900310811385, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 25963, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226f70369a200011aae144b8c1ef04ea786f23ea4a\u0022, \u0022event_fingerprint\u0022: \u0022fc1378be489f9ebffb388a3af6dc05c1c520ca6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022df84e08232121e1540392dd22f8825ab\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 25963, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022df29605ac638bbcff523b41d91806faa5107ddca\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 25963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:25963 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002225963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 25963, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 25963, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:25963 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:25963\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002225963 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002225963\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:25963","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12562555,"ip":"2.57.17.40","ts":"2026-07-16 21:00:43.000000","proto":"tcp","src_port":1326,"dst_port":5785,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e00a0ef093216190c9a7a6beceb8bf755fe91364\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.2020557416630915, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 5785, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022311f2f61a2fa114c14f8517741b5d55686613abd\u0022, \u0022event_fingerprint\u0022: \u0022c3f73dee4727fb5169e60b14c751854d96ed7d50\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002275b1d4959925180b3dab78e9c2b0d076\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5785, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002263f802ab1649eca61e8386d68500a85bcc3355c3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5785, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:5785 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225785 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5785, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5785, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:5785 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5785\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00225785 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225785\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5785","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":173},{"id":12549548,"ip":"2.57.17.40","ts":"2026-07-16 19:17:50.000000","proto":"tcp","src_port":6810,"dst_port":5068,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022bb0e891a7870c269bd64f8017e603ca203d7a195\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 444, \u0022payload_entropy\u0022: 5.205497479523107, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 5068, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223ae63bffc3396b5775783a4e6b1210f8593a7e24\u0022, \u0022event_fingerprint\u0022: \u00225c63e1daf933d0648aad285f5d1567825c98f356\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022d0e2dacb7698ab42e2980870704696c5\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5068, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Len\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Len\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: \u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Len\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002268369381432e3049f848f91862d515fd63366c3c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5068, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Len\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5068 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225068 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5068, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5068, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5068 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:5068\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Len\u0022, \u0022target_port_label\u0022: \u00225068 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225068\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5068","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":444},{"id":12549359,"ip":"2.57.17.40","ts":"2026-07-16 19:12:50.000000","proto":"tcp","src_port":12374,"dst_port":19568,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022a75a49df1239c1f0be13cdfdc42ea5ca90fff3e2\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.211707633357699, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19568, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f001b0d00b54807100549e682abc4cfd402e6a46\u0022, \u0022event_fingerprint\u0022: \u002241ec794d19791beae071992ba14d4c5e9656016f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00225ff64f256e385ffc546fc9ba9c1fa131\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19568, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022173e227de65de503355ab0fc365606e4e55b3bc6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19568, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:19568 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002219568 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19568, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19568, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:19568 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19568\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002219568 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219568\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19568","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":12531211,"ip":"2.57.17.40","ts":"2026-07-16 16:18:10.000000","proto":"tcp","src_port":2522,"dst_port":30222,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022b511e28e15fe6e77caa2278ade580dd4468d6166\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.192816721619114, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 30222, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002219a107fa8d2d913517ae394b50d8957045dc6303\u0022, \u0022event_fingerprint\u0022: \u0022a17c3d758e06bda86d1f7c439a85246681d74f4c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00222689ef4d5a97a5e28fcb167cc7034983\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 30222, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002285fd27567a18aac0ee147bd6329620f14b323a35\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 30222, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:30222 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002230222 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 30222, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 30222, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:30222 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:30222\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002230222 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002230222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:30222","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12460603,"ip":"2.57.17.40","ts":"2026-07-16 10:08:24.000000","proto":"tcp","src_port":6588,"dst_port":22185,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022c68607dc0f9642c493ad79b2c475d64eefd7dc0a\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.165050817526606, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 22185, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d6dceddfd3b2f4588a1f1ed3d316e0ea9480f3dc\u0022, \u0022event_fingerprint\u0022: \u0022bf816b031507f11fbf13ad2f10e145ec00684885\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022837118924822cf67b2e62bbd19655ce8\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22185, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e1f8d13e6ac553de278ef8c83f4be9955294b58b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 22185, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:22185 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002222185 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 22185, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 22185, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:22185 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:22185\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002222185 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222185\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 11, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:22185","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12456460,"ip":"2.57.17.40","ts":"2026-07-16 09:47:36.000000","proto":"tcp","src_port":1436,"dst_port":19177,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022d6b0e8a416b8510da05ada3ff70f7022e53c448c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.219830546565574, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19177, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002200ea37687a7ce6270ff91181c07260974cf1a1b8\u0022, \u0022event_fingerprint\u0022: \u00227b2f5f767de25b3fb54f41580bfabefc26b0775f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00225c3df24a5c3db7aab2cf4aab9a2fe3e6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19177, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228925c5b6b9175c4811ac17e216bb51ef30b45fc6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19177, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19177 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002219177 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19177, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19177, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19177 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19177\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002219177 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219177\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19177","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":12187300,"ip":"2.57.17.40","ts":"2026-07-15 10:44:38.000000","proto":"tcp","src_port":9642,"dst_port":21821,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002251cbc093cab1f07abecad65464fbd4c02493a981\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.181179013636723, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 21821, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002259bedefd503d4f726f2fe1ca4ed9524f467dc980\u0022, \u0022event_fingerprint\u0022: \u0022c51d4cbfbad5ec2a99bb9b4c949279c1fbef775d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.6, \u0022classification_confidence\u0022: 0.6, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022d358e0b7725f9fb6686b7b1f4f1cd0cb\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 21821, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e2cb41a7664994ff321f2e7711b3aa8f513ee1e7\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 21821, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:21821 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002221821 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 21821, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 21821, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:21821 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:21821\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022target_port_label\u0022: \u002221821 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002221821\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:21821","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":12177124,"ip":"2.57.17.40","ts":"2026-07-15 09:20:41.000000","proto":"tcp","src_port":12760,"dst_port":8038,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002206c4af9b332b7c0050e2e244da843835e06a35b9\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.187661377526253, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 8038, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235d3c688608740c6de55196b456258075d3f4d6d\u0022, \u0022event_fingerprint\u0022: \u002272a00020ab3e5bdef6dc61f9adea54a28182dd93\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022ed86daf077a8c1a0a30a65be57389e75\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8038, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226b54aae6aae983dcd2a5005427e03d364335786c\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 8038, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8038 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228038 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8038, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 8038, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:8038 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:8038\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00228038 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228038\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:8038","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":173},{"id":12128885,"ip":"2.57.17.40","ts":"2026-07-15 06:24:42.000000","proto":"tcp","src_port":50778,"dst_port":13701,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e7ac7ecd794e71914a63e2cbdca798fceb5afd12\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.097605644356062, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 13701, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002217d706acff95fa5d3ded8c5a1c2765678d4abc6d\u0022, \u0022event_fingerprint\u0022: \u002254fc52ec0e34ba57c7344f5a08f16242f0c87052\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022973598b044a4648e3c3fc5667c0c8ce9\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13701, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022914085bb8ba5f7283f84f9ec4d52cae22c70c851\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13701, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:13701 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002213701 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 13701, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13701, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:13701 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022target_port_label\u0022: \u002213701 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213701\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"192.0.2.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":144},{"id":12000460,"ip":"2.57.17.40","ts":"2026-07-14 22:59:39.000000","proto":"tcp","src_port":1474,"dst_port":19732,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022848a07f4c07bdb4da5259aaa9b206b784d50f24e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.215154267920014, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19732, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f8d775c5ba86ae8603ab690ed19a321e9eb6122c\u0022, \u0022event_fingerprint\u0022: \u0022dae40794b60541356d20e8472b3661d6442a4749\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00228dc3c16b4c95ead0780f08dd6128f1e6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19732, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b0a36491b5229f04b3a86abc7db7be35a1bb4bb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19732, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19732 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002219732 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19732, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19732, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19732 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002219732 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219732\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19732","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":11962939,"ip":"2.57.17.40","ts":"2026-07-14 18:39:41.000000","proto":"tcp","src_port":10316,"dst_port":17558,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002219212fb8727a2892b153c089dbd1c7a5a0f4fbd0\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.204551814404615, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 17558, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002202c88eb2204b44aa1e32ac6705313d31a5ae03b6\u0022, \u0022event_fingerprint\u0022: \u002292c143a67aeaad89a92ea143d14029516aff9ba5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00226961485d7212e1724361cd39f3b06c43\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 17558, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022db0261304a644282dfdaaa8731174485771c6e05\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17558, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:17558 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002217558 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 17558, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 17558, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:17558 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:17558\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002217558 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002217558\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:17558","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":11898840,"ip":"2.57.17.40","ts":"2026-07-14 11:51:24.000000","proto":"tcp","src_port":1976,"dst_port":19717,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e7132926e23ff36e15952b45706b3e227bdb4d1b\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.21994532267965, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19717, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002262c553724e5cba1b146fffb730dd74202a209f7c\u0022, \u0022event_fingerprint\u0022: \u00228af8a02f184ea0e68441f62eae4daadfda72c930\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022f2aca5e9063f6b6366f4428ba08bf114\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19717, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b9a9aa168574a0c97eddabeeae1a33b3660a33fa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19717, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19717 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002219717 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19717, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19717, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19717 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19717\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002219717 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219717\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19717","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":11493738,"ip":"2.57.17.40","ts":"2026-07-12 21:29:48.000000","proto":"tcp","src_port":12524,"dst_port":24239,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022779ff57272187648ba2b6b877a03f5635be49a3e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.211707633357699, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 24239, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002266d391837d3febb516fb262e7df5aec4b1a8aea2\u0022, \u0022event_fingerprint\u0022: \u00220595f46ee7dad316fd89595a90c8f7093f0ae936\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022ed1dcecd0150e1263d8f00cfc30833e8\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24239, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f88d319a2ca34ad566055668a648fe6571d16df1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24239, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24239 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002224239 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 24239, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24239, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24239 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:24239\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002224239 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224239\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:24239","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":11465880,"ip":"2.57.17.40","ts":"2026-07-12 18:36:19.000000","proto":"tcp","src_port":9060,"dst_port":1662,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022225fa070d6414a2ab98225cc8459617dd3600366\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.178934354379854, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 1662, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002299acc1f81da2c3e25502230a92104ea224a6fa68\u0022, \u0022event_fingerprint\u0022: \u0022b9b0318b94a2ae8c97e4ff538a8a02c79e9b568e\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00221faa8da1ff523e8f2979884a27e48374\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1662, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002203452f2e9476a6600a619cd400ec49dbabeeeda0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1662, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1662 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221662 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1662, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1662, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1662 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1662\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00221662 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221662\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1662","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":173},{"id":11237045,"ip":"2.57.17.40","ts":"2026-07-11 21:18:00.000000","proto":"tcp","src_port":16270,"dst_port":22687,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002224a96e6971b2248baa8ac464473bb43ff03e5bd2\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.218863452310782, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 22687, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022df46bf0232e256dac7737f26b63a3e8a7fb353a4\u0022, \u0022event_fingerprint\u0022: \u0022fecf2870c68a04f22d9d6bcb18ab45c906cd63dd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002225add27a7920ecd228f93585e5fa48d6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22687, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c46484fd1fb91b7860bf1659a02d5c5d27bae683\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 22687, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:22687 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002222687 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 22687, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 22687, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:22687 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:22687\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002222687 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222687\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:22687","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":11221119,"ip":"2.57.17.40","ts":"2026-07-11 19:59:42.000000","proto":"tcp","src_port":7824,"dst_port":32606,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022f7cf1ec9318e09a2d3ab084ffa542e0a002e010e\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.172338624321049, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 32606, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fe9d5017760f6ea878c2e33b11f86705960af92b\u0022, \u0022event_fingerprint\u0022: \u00229d0aa4ef2acc6e17dffa3a96883c5c139fb750a5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 58}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022fce8bf65635f0e256123f46520cc408b\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 32606, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002287f576dc5b55201efb81f635cdfbebf58a38d89d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 32606, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:32606 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002232606 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 58}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 32606, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 32606, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:32606 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:32606\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022target_port_label\u0022: \u002232606 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002232606\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:32606","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":11195321,"ip":"2.57.17.40","ts":"2026-07-11 18:39:42.000000","proto":"tcp","src_port":4348,"dst_port":12867,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00228a28a7f5c1139bc6a85fdff318c8ac84d89c1abf\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.1834266028895755, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 12867, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b1c7005c06b268a22b0be563ce31b1f129369c7a\u0022, \u0022event_fingerprint\u0022: \u0022140408e17d84ed726e6fbd8c6c93b2b3e6ec2ad7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022305438b3d2500b1db73c8ea4a983ca54\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 12867, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022364bbe7d2267017ebf8aaa899ac0213e6aaf01ec\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 12867, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:12867 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002212867 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 12867, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 12867, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:12867 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:12867\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002212867 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002212867\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:12867","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":10971840,"ip":"2.57.17.40","ts":"2026-07-11 04:54:25.000000","proto":"tcp","src_port":2180,"dst_port":23232,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022a938817580204151051ccf8a6878a09f12e50559\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.1435855532851935, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 23232, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227c00cd573a44aed09bfbdeadd485a4d2edb55036\u0022, \u0022event_fingerprint\u0022: \u00223fc73147785ac1ec31ff91c56a1524f7bd7480cb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022b3b1cb79696a8c4b41123746880beb43\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 23232, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221fdeaf7837f03cfd5fc7901bc7d1877983cc2c69\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 23232, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:23232 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002223232 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 23232, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 23232, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:23232 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:23232\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002223232 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002223232\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:23232","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":10892483,"ip":"2.57.17.40","ts":"2026-07-10 18:20:10.000000","proto":"tcp","src_port":5576,"dst_port":6510,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e90e8e6ec3a44c6e4b55885caa74daa98c166096\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 447, \u0022payload_entropy\u0022: 5.196421428477847, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 6510, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222413ed2cacc24e71bb4dcb559fc25a52aa2860cd\u0022, \u0022event_fingerprint\u0022: \u002286a27ccd155733d4835512ffd21c45d9e8f2908a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022da1c919f87660b2c01f046648482bda1\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 6510, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002215a976ebbd6ebc977d10ef68db4253ec5a3e6493\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 6510, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:6510 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u00226510 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 6510, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 6510, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:6510 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:6510\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022target_port_label\u0022: \u00226510 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00226510\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:6510","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":447},{"id":10628042,"ip":"2.57.17.40","ts":"2026-07-01 01:23:49.000000","proto":"tcp","src_port":5190,"dst_port":10689,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002214ae94c0efe69888997d20b47df52bc74d836e37\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.216403909982925, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 10689, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a7fd6d2accbd812fe40f4d70e12479ef3fa8113c\u0022, \u0022event_fingerprint\u0022: \u002211d04ce430f3b342da587e7af14e8e875e7977a3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022ab1767236bbe3f1a3ef5896707f2f7d9\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10689, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f4dbe3e0f7908df8d2ee7c59bbe4016e11664022\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 10689, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:10689 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002210689 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (2.57.17.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10689, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 10689, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:10689 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:10689\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002210689 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (2.57.17.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210689\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u00222.57.17.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10689","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":10623336,"ip":"2.57.17.40","ts":"2026-07-01 00:29:22.000000","proto":"tcp","src_port":42999,"dst_port":3132,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 4, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e7ac7ecd794e71914a63e2cbdca798fceb5afd12\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 5.097605644356062, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 3132, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002209914b7a5433475977e25c80d3c98c227ad6a88f\u0022, \u0022event_fingerprint\u0022: \u00225248739c8d28e9c789460c50df7c63c064d12130\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022973598b044a4648e3c3fc5667c0c8ce9\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3132, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221ae472a004875bd057714afcb2c49512df764a81\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 3132, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:3132 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00223132 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3132, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 3132, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:3132 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 192.0.2.1\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConne\u0022, \u0022target_port_label\u0022: \u00223132 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223132\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"192.0.2.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":144}],"total_events":32}