|
|
TCP |
12324
|
—
|
proxy probe
proxy probe · port 12324 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
socks5_greeting
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
12324
Chemin / cible
—
Pourquoi cette classification : Type « proxy_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 3,
"payload_entropy": 1.584962500721156,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": null,
"app_proto": null,
"asn": 14061,
"country": "GB",
"dst_port": 12324,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 35,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "0aae59e5ee39b5077a344b57750662d621e4823c",
"event_fingerprint": "c73bdab97973f724825dfa797e1ea63b5bd6fb70",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 35
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "da075e9d699084fc189cdd233081c49f",
"path_pattern_hash": "b6d4fb956dc4d23d1c2c3eccd7f8e7e3"
},
"target_context": {
"dst_port": 12324,
"risk_score": 35
},
"payload_preview": "\u0005\u0001\u0000",
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"evidence": {
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"classification_reason": "Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dd7f3353b1a39a5627a10b189d3c5464607896bd",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 12324
},
"attack_vector": "proxy probe \u00b7 port 12324 \u00b7 (sonde \/ probe)",
"target_port_label": "12324",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": null,
"service_label_fr": null,
"dst_port": 12324,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 12324
},
"attack_vector": "proxy probe \u00b7 port 12324 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "12324",
"emulator_service": null,
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "12324"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"socks5_greeting"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
1080 · SOCKS5
|
socks5
|
socks5 probe
socks5 probe · via SOCKS5:1080 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SOCKS5
WAF
—
Recommandation
Surveiller
Tags
net_socks5_probe
socks5_emulated
socks5_greeting
socks5_handshake
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1080
Chemin / cible
—
Service
SOCKS5
Payload
���
Pourquoi cette classification : Type « socks5_probe » (signaux protocolaires) · confiance 67%
Confiance classification
75%
Corrélation +8
Risque capteur
Moyen
· 45
Confiance : Confiance 67 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0567
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
SOCKS5 greeting
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0500",
"emulator_response_len": 2,
"bytes_in": 3,
"payload_entropy": 1.584962500721156,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": "socks5",
"app_proto": "socks5",
"asn": 14061,
"country": "GB",
"dst_port": 1080,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "271d05a6cd2323b9ac63bce8f3ac33332ef07649",
"event_fingerprint": "3331cd638f7f2882b3f28f93273086620fcbe7b5",
"classification_reason": "Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"confidence": 0.75,
"classification_confidence": 0.75,
"precision_score": 75,
"precision_signals": [
"pat-0567",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0567",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0567"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SOCKS5 greeting"
],
"pattern_ids": [
"pat-0554",
"pat-0567"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "socks5",
"risk_confidence_factor": 67,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "da075e9d699084fc189cdd233081c49f",
"path_pattern_hash": "bfccf9f2989c411a7f395b1e4889bbc9"
},
"target_context": {
"dst_port": 1080,
"service": "socks5",
"service_name": "socks5",
"risk_score": 45
},
"payload_preview": "\u0005\u0001\u0000",
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"evidence": {
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"classification_reason": "Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"network_service_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0d80e8fd6254a8b4da743f53b12e94ed91fca06d",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 1080,
"service": "socks5",
"service_label_fr": "SOCKS5"
},
"attack_vector": "socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)",
"target_port_label": "1080 \u00b7 SOCKS5",
"emulator_service": "socks5",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"classification_reason_label_fr": "Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 67%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 75,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "socks5",
"service_label_fr": "SOCKS5",
"dst_port": 1080,
"protocol_emulated": true,
"tags_summary": [
"pat-0567",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0567",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-socks5",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 1080,
"service": "socks5",
"service_label_fr": "SOCKS5"
},
"attack_vector": "socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "1080 \u00b7 SOCKS5",
"emulator_service": "socks5",
"confidence_reason": "Confiance 67 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 75 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "socks5",
"service_banner": "honeypot-socks5",
"service_os": "linux",
"dst_port": "1080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:12324",
"socks5"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_socks5_probe",
"socks5_emulated",
"socks5_greeting",
"socks5_handshake"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
1180
|
—
|
Scan de ports
port scan syn · port 1180 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Multi-protocole corrélé (5 min)
Protocole
WAF
—
Recommandation
Surveiller
Tags
socks5_greeting
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1180
Chemin / cible
—
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +12
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
Minecraft varint handshake
SOCKS5 greeting
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 3,
"payload_entropy": 1.584962500721156,
"port_category": "registered",
"org": "DigitalOcean, LLC",
"service": null,
"app_proto": null,
"asn": 14061,
"country": "GB",
"dst_port": 1180,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 42,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "4faccb0edb699bcd2ab5bb672570b8c3a1488234",
"event_fingerprint": "c278b9646ba32a9590ceec804536b45da31e7b48",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 231,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0554",
"pat-0567"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SOCKS5 greeting"
],
"pattern_ids": [
"pat-0554",
"pat-0567"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 12
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "GB",
"asn": 14061,
"org": "DigitalOcean, LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "da075e9d699084fc189cdd233081c49f",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 1180,
"risk_score": 42
},
"payload_preview": "\u0005\u0001\u0000",
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"evidence": {
"request_sample": "\u0005\u0001\u0000",
"payload_snippet": "\u0005\u0001\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a8e44176439b8ade5db22467166133840f24e01d",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 1180
},
"attack_vector": "port scan syn \u00b7 port 1180 \u00b7 (reconnaissance)",
"target_port_label": "1180",
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 12
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 1180,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_rapide",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +12",
"protocol_details": {
"payload_preview": "\u0005\u0001\u0000",
"port": 1180
},
"attack_vector": "port scan syn \u00b7 port 1180 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "1180",
"emulator_service": null,
"confidence_reason": "Confiance 100 % \u2014 1 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +12",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "1180"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 3,
"scan_velocity_ports_per_s": 30,
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"port:1180",
"port:12324",
"socks5"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"rapid_port_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 12,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"socks5_greeting"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
3389
|
rdp
|
Sonde RDP
|
Élevée
|
Élevé · 74
|
|
Étape
—
WAF
—
Recommandation
—
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|