{"ip":"209.99.187.19","exported_at":"2026-06-08T22:04:32+00:00","period_days":90,"metrics":{"events7d":1833,"distinct_ports":18,"distinct_classifications":17,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":38,"max_risk_score":63,"attack_stage":"recon","attack_chain_stage":"recon","threat_family":["scanner"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":0,"protocol":33,"novelty":25},"mitre_tactics":["TA0043"],"mitre_technique":"T1046","top_mitre_technique":"T1046","top_mitre_count":null,"executive_one_liner_fr":"risque 49\/100 \u2014 MITRE T1046","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":64,"behavior":0,"geo":0,"protocol":33,"novelty":25,"risk_score":49,"correlation_boost":6},"persona_hostname":"mail.sensor-1.internal","correlation_flags":["campagne_ports"],"correlation_flags_labels_fr":["Campagne ports"],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":null,"tags_summary_labels_fr":[],"tags_summary":[],"attack_vector":null,"protocol_details":[],"protocol_summary_fr":null,"evidence_snippet":"GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple","target_port_label":"9443 \u00b7 HTTPS","emulator_service":null,"confidence_reason":null,"classification_reason":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":null,"payload_preview":"GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple"},"events":[{"id":8450972,"ip":"209.99.187.19","ts":"2026-06-07 07:11:37.000000","proto":"tcp","src_port":50880,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 379, \u0022payload_entropy\u0022: 5.481054186670756, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022386f471694968a1eb37c266cfe0c4a79\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d312b06b93b433a6e6f455230d274b9b9be913be\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":379},{"id":8450973,"ip":"209.99.187.19","ts":"2026-06-07 07:11:37.000000","proto":"tcp","src_port":50884,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.472202948057918, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e9b3d32abef6e79ac94f29580e72ddc0\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002294781feec5f3b7ab04aac02ef2024f0f951e4e10\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":386},{"id":8450974,"ip":"209.99.187.19","ts":"2026-06-07 07:11:37.000000","proto":"tcp","src_port":50888,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.473883300480325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002269be8396b32a17279097403cb9ac8238\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ed62b4f2df4c8e6d26e8a1135196cc16cd56c816\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":386},{"id":8450975,"ip":"209.99.187.19","ts":"2026-06-07 07:11:37.000000","proto":"tcp","src_port":50894,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.480796351183519, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ae3ee3cf4d1eee85519189bad7888e8\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022422e1cccc93686a3942317dc4d166098d55dd966\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":383},{"id":8450912,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46540,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/language\/en-GB\/install.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022005fbc4ab2183bf8c673b2b7f188c6fdd4f12456\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022374e3f21b83ce39520690c8e734b70b1147798ba\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 256, \u0022payload_entropy\u0022: 5.3079964899439815, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d3bbaf70c4db3acf7da4913d653e259f9097a9b\u0022, \u0022event_fingerprint\u0022: \u002205e3f1cd9d4dc4d2ecf11a2130c3d7f3ad82ea77\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229ecc9d68a61060f6a2a899b3febeb5c0\u0022, \u0022payload_hash\u0022: \u00228db2808250ceb447bd1d43c2c4957baf\u0022, \u0022path_pattern_hash\u0022: \u002299d77b392b5126ef091af0d5186e18e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/language\/en-GB\/install.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/language\/en-GB\/install.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226f0a6b542dc2d06a9a9b4ce78c95ca9179e1bc6a\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":256},{"id":8450913,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":55814,"dst_port":8443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.484047297653067, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 8443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 3.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222aa17a6b515596b20eaea8d57184d62da9f48dfc\u0022, \u0022event_fingerprint\u0022: \u002248aa5a12dd4150e072f6d3dd03f9143ac67f8d69\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002278969a4fc8cb4448ed66026df506b654\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022241fad9585a80038a66f3db3f750c9a8f8376b7b\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":383},{"id":8450914,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37572,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/htaccess.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u0022b60f0f42926189e1662b708aac1092d571b08770\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022bcac0ded0564d5a60b4bf8080877283a3eb8cb0f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 232, \u0022payload_entropy\u0022: 5.280663350949261, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d85d4d5e5280806e0f57eab59329e6d9e70a988\u0022, \u0022event_fingerprint\u0022: \u0022a4b53130cf7d44f1c573119f6506366edf1ac6bb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f70a1b69413fe829e75eadc70a7d31d3\u0022, \u0022payload_hash\u0022: \u002275d7f7e9aa0ab248f0879360a94ac94b\u0022, \u0022path_pattern_hash\u0022: \u0022c9998214e9f1a3c7de61d98ecf85df84\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a4732e55d5845785d6948142e899735ed0d6350f\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":232},{"id":8450915,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":47070,"dst_port":8880,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u00226f2c22ac9e61885d82ed7f07dd56e4791b76cc36\u0022, \u0022http_target_hash\u0022: \u0022fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.484889814615556, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 8880, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ad6b48964cd522362f5790c3a77e9bbdeb9db0d3\u0022, \u0022event_fingerprint\u0022: \u0022829b521cd3c544ace34bee577fe8850ffdd17058\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022e05551c0b888fb7e3dfbd4bccbd2ed9e\u0022, \u0022path_pattern_hash\u0022: \u002253177baa3eea1f41ac064a836a2fa9b0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8880, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8880\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8880\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8880\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8880\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8880\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022033be94c41cbb090aed8364fc942b48f7c3d4f86\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228880\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:8880","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":383},{"id":8450916,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34628,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/modules\/custom.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022d10c4e2d0485f9e62d840eb53cca0e91d2300e06\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u0022632ece66dfb5ec5e21273c3861983a2ba62f07b7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 260, \u0022payload_entropy\u0022: 5.3565178242282325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022453498e87e825cecea3232558f84c7576c449cac\u0022, \u0022event_fingerprint\u0022: \u002245df7cfe6aebbd94ff708990e3be8b31a6f76501\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022b1797610bb39e36244960d837e64af4c\u0022, \u0022payload_hash\u0022: \u0022bb36aac2d529b1b96ae67a48b4aeb833\u0022, \u0022path_pattern_hash\u0022: \u0022f5ab2d5346f34e0a620fba1ef488dca0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022743a9d7e6473e4dc29eb4813cc58a54b1877dc8e\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":260},{"id":8450917,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":47308,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/images\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb\u0022, \u0022http_target_hash\u0022: \u0022c3e02c33e4e599b13776537fef445a739c5bf5a1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.477643014042659, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002295202f00d3c52e73eca91eebd49f9d9b7131d601\u0022, \u0022event_fingerprint\u0022: \u0022c971772eb86a5edc9b6474f94d44849cb2d388c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022c2a05464c9fd8ca8a66f1a11778617d8\u0022, \u0022path_pattern_hash\u0022: \u0022ebfc9cc147746028ca30139889e0c240\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e9c2c5c667e49d60f9456ab852da625bc29e579f\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:8888","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450918,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32806,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u002261e23039032a4a3004d8a088aa650990e4cbd032\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u00220f6d04d0a59f96b6ba5c15c3721804e572006f43\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 217, \u0022payload_entropy\u0022: 5.292584049194737, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022927f1d095b9c94fcbcba50cba0ce935ed980e155\u0022, \u0022event_fingerprint\u0022: \u002207d987571b26264661b71594d51b842d485cda3f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00222a75f30ce091d80f378659d94b0b224e\u0022, \u0022payload_hash\u0022: \u0022f14d73936460f6affa2796fa2a1f8da1\u0022, \u0022path_pattern_hash\u0022: \u0022cb8cd75c08bc9ba0c944ce837c38c33b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d230846e709dbd9436ebecadf3ee7e163d3cd07a\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":217},{"id":8450919,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46544,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/manifests\/files\/joomla.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022ac4a2d9624ae9d15d2981a9c471de439e583e1be\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022c6fb3f903fa16273b39114aec8b3d25d6a09b2eb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 258, \u0022payload_entropy\u0022: 5.311892831448649, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002273c2020b4746f1012c480e790b5712ac9c72761d\u0022, \u0022event_fingerprint\u0022: \u0022782b66b4dee4bb6664eff9e901b22cad8afa3e0c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002296b2d25b409cae88dc3740a307615a2e\u0022, \u0022payload_hash\u0022: \u0022d5d2e3cb00729533a7de805ce58abd88\u0022, \u0022path_pattern_hash\u0022: \u0022c4f3d5811d6d989618ffc547885c6936\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/manifests\/files\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/manifests\/files\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223d089256542e8013906dc497d1fb132c386ac6f1\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":258},{"id":8450920,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37580,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/joomla.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022c8270b9b8142897881f4b1fc833d72674a8d2ada\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022b5d12a1bd786a4e8ded40b52d9812a90023251c0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.425617903590705, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d85d4d5e5280806e0f57eab59329e6d9e70a988\u0022, \u0022event_fingerprint\u0022: \u0022deadcd64c7fe2af7d77476482ebaa6122ba1d9d7\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022f04de0dc23d510d00054f809c14d1a7c\u0022, \u0022payload_hash\u0022: \u00222b6ad6213040359e6627a3ee381f82a6\u0022, \u0022path_pattern_hash\u0022: \u002237b7494e384a970799b9ec3c4b123d60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022696437ecee1527ebd8443c401bd3ed4bffe7b4dd\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264},{"id":8450921,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34636,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":12,"waf_tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/plugins\/system\/debug\/debug.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002255c10e202d2cc830c6fad83ee818b598f6862443\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u002272342f75eb3d267db2b9e94ef476febfa2c522cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 287, \u0022payload_entropy\u0022: 5.3402480108949195, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 56.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 43, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d98952e55e4ee4391cf0f735d31b1e44de4bbae9\u0022, \u0022event_fingerprint\u0022: \u002223158d7e17170f84bfcdb9e52aec5f27a1fc3b18\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 56.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 43, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220a0d4a14746a311ad7eac155020e41aa\u0022, \u0022payload_hash\u0022: \u0022ac18233efb7a05a3fb143727c33f1722\u0022, \u0022path_pattern_hash\u0022: \u00225827499d7e8d83e6835edd2eb5f2a61b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 43}, \u0022payload_preview\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022061635635c9ee3e16df97c2ab857d52718b8cc49\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":287},{"id":8450922,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":47320,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/assets\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb\u0022, \u0022http_target_hash\u0022: \u00229deb03ee93b5c35fc64945fba2497110debf3fc9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.479323366465066, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223eb82effec4fd68bb5741ddc17991a74ad0a173f\u0022, \u0022event_fingerprint\u0022: \u002245aead2819b9897c79d424e6ce8a74a1badf2805\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022b54662bc4a1f3dacefeb655b43f9b136\u0022, \u0022path_pattern_hash\u0022: \u002269c03841151170259bac878d0fbd4b66\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f17932fdd5d5400944a5efee4000d9b7f7f558b\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:8888","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450923,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32814,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/help\/en-GB\/toc.json","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022json\u0022, \u0022http_ua_hash\u0022: \u00221f4dbecf47188503e6908ec06829f6dd7a781c4e\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022617481da6f5867560cd2fdf70cb848ef7749246d\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 237, \u0022payload_entropy\u0022: 5.293309789848276, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226015fbc4f081b36082f311f163f79ec1a839c2bd\u0022, \u0022event_fingerprint\u0022: \u00229139a98aa1c341643ac8af91b46b2cad85689fb1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022a7d2f0a22e771a26d02125cd443a890b\u0022, \u0022payload_hash\u0022: \u00226b4bab17fccee2698579c3dd46e9104e\u0022, \u0022path_pattern_hash\u0022: \u0022ffc23282dc35670d41d8f4e8dae550a1\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/help\/en-GB\/toc.json\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/help\/en-GB\/toc.json\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e265df3b9e6a5a137221ce1dedfc035a5f825c1\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":237},{"id":8450924,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46550,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/htaccess.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u002247ea7c9dd9500081c965a8730f01d7cf6bd9a93a\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022bcac0ded0564d5a60b4bf8080877283a3eb8cb0f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 236, \u0022payload_entropy\u0022: 5.2380856769783755, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221f8759a0e0560315629a38b5e9d59ae4cf9944cf\u0022, \u0022event_fingerprint\u0022: \u0022a8c4a86ace2b8d0cda2fac04c97cedecd5f9c7da\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00228e90eeb938998c9e6282d9d26c571010\u0022, \u0022payload_hash\u0022: \u0022e5fd3a7487060dd779f9a0d251906921\u0022, \u0022path_pattern_hash\u0022: \u0022c9998214e9f1a3c7de61d98ecf85df84\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022416ff95eb7f07d046fb1cc2d90daee8745ecee9b\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022], \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":236},{"id":8450925,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37590,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/language\/en-GB\/en-GB.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00226520f92909030fedc2988f94867842355245f954\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 283, \u0022payload_entropy\u0022: 5.362277545253494, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022be5b28f43d32d2b79fe89f9c1fa69e946815f9cc\u0022, \u0022event_fingerprint\u0022: \u00229c704e3591c4866cda12a9728a9f223f59282088\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002260b020b82d036bb802d8f15e5e7fa429\u0022, \u0022payload_hash\u0022: \u0022a41f4cce23866ad427569561c135a066\u0022, \u0022path_pattern_hash\u0022: \u002299879359e0ccef25e57e05c0e6f11487\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227a965a053575b6b7522b90251905ff61a84075f5\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":283},{"id":8450926,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34648,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/README.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u0022965ff8e2242872badfc916d53e953e9421712f2e\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u0022ab9489e2835a4c90f6af65db2a350e9fbed45704\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.341336259351414, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229c5d7559adb354e2d91efec1e4141f730ae1871f\u0022, \u0022event_fingerprint\u0022: \u00221a80ff19830eb1aa2d129bd3d9abcd9526506df0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00229d60aea58f73e41216ec1d195ee03b6a\u0022, \u0022payload_hash\u0022: \u0022d1fa8b0eb289e778c903b842c6819a11\u0022, \u0022path_pattern_hash\u0022: \u0022f1da2ac495442188b42e61002c12ea20\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022467ba95affaa50b9a14d6962dd72aab09b8129c7\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264},{"id":8450927,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":47328,"dst_port":8888,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb\u0022, \u0022http_target_hash\u0022: \u0022fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.486279028651169, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 8888, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002295202f00d3c52e73eca91eebd49f9d9b7131d601\u0022, \u0022event_fingerprint\u0022: \u0022323f93d77f93e3da37317f005e5cda72897e2315\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022HTTP alt 8888 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0599\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u002271e3ba179f4c4c427c9798d79db62911\u0022, \u0022path_pattern_hash\u0022: \u002253177baa3eea1f41ac064a836a2fa9b0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8888, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:8888\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002294ad3200b50b6546b7037791b690c0f6417a4e8a\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228888\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:8888","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":383},{"id":8450928,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32816,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/language\/en-GB\/install.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00222aadc66e2d0d6b19b5c1dc0949c6a4c50bef3ccd\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022374e3f21b83ce39520690c8e734b70b1147798ba\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 280, \u0022payload_entropy\u0022: 5.4145192685239865, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 8, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226015fbc4f081b36082f311f163f79ec1a839c2bd\u0022, \u0022event_fingerprint\u0022: \u0022e9bfe9884989619c61e5dbde583eeac8e0aff76d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002226f16ed5ec807682bc28ec6b76672236\u0022, \u0022payload_hash\u0022: \u0022da285868351f80f351d808f844daa7b1\u0022, \u0022path_pattern_hash\u0022: \u002299d77b392b5126ef091af0d5186e18e0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/language\/en-GB\/install.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nA\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/language\/en-GB\/install.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nA\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002244aec872d6460ac0bfe6ec45e2cf6e3d573fac87\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":280},{"id":8450929,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46562,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/joomla.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00228339b4acdf577e2b24cab540d8a972c8d1e7b4a6\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022b5d12a1bd786a4e8ded40b52d9812a90023251c0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 211, \u0022payload_entropy\u0022: 5.271250677479469, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221f8759a0e0560315629a38b5e9d59ae4cf9944cf\u0022, \u0022event_fingerprint\u0022: \u0022582a6cb1b4f1e6bba14685816c567b585d6f8d77\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022c4bf3fb97070dc3c9a96fcad289b2eda\u0022, \u0022payload_hash\u0022: \u002215a15dd4b0f3a3e699bd3548d9789144\u0022, \u0022path_pattern_hash\u0022: \u002237b7494e384a970799b9ec3c4b123d60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fead26eb95da5f0fd533308a50f5a1d7cd8004b4\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":211},{"id":8450930,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37606,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/modules\/custom.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002283e599b94f7817a451a1792c6fb4264c84f03f8f\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022632ece66dfb5ec5e21273c3861983a2ba62f07b7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 236, \u0022payload_entropy\u0022: 5.274994248737962, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225fea04cc985cce942f1ed846fb59e77df424e101\u0022, \u0022event_fingerprint\u0022: \u002286949080eb83b51bf85013c8ac83da73943eaf7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00226ead205f397a7e3c8afaeabd9dade729\u0022, \u0022payload_hash\u0022: \u00227f27bde6e1a333d9325c7c2162e3872b\u0022, \u0022path_pattern_hash\u0022: \u0022f5ab2d5346f34e0a620fba1ef488dca0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c7fe739e7cc2df54e0a1cee9dc8046ca2cfbdfe6\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":236},{"id":8450931,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34650,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 379, \u0022payload_entropy\u0022: 5.4743123487764445, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229c5d7559adb354e2d91efec1e4141f730ae1871f\u0022, \u0022event_fingerprint\u0022: \u00224651a329b01f2679f1a7bc8c4046bc99b1bd4e8a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022408f6a31275a17a3c915c6554c34b447\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ef512dbc9944ebe2cd446c085b3a2ad36066dbd\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":379},{"id":8450932,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32824,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/administrator\/manifests\/files\/joomla.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00222aaad91811e4d48f8e2af76c4257f29d8895c9e5\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022c6fb3f903fa16273b39114aec8b3d25d6a09b2eb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 308, \u0022payload_entropy\u0022: 5.349515194072036, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 7, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022927f1d095b9c94fcbcba50cba0ce935ed980e155\u0022, \u0022event_fingerprint\u0022: \u00229e5edd369d314f45b23a5dd7fb490ad5df0c88a0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022matched_pattern_names\u0022: [\u0022ET Joomla admin\u0022, \u0022ES admin GET\u0022, \u0022Probe \/administrator\/\u0022, \u0022ActiveMQ console\u0022], \u0022pattern_ids\u0022: [\u0022pat-0853\u0022, \u0022pat-0341\u0022, \u0022pat-0238\u0022, \u0022pat-0606\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022e83d69b141a15ce2b755f6bc9aec8730\u0022, \u0022payload_hash\u0022: \u0022ce8380e42496e49af1e7a61c6f194dc9\u0022, \u0022path_pattern_hash\u0022: \u0022c4f3d5811d6d989618ffc547885c6936\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/manifests\/files\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\\r\\nConnection: close\\r\\nAccept:\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/administrator\/manifests\/files\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\\r\\nConnection: close\\r\\nAccept:\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f394d7f6c54843f2b61f6b9159d1e362d68fa43e\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_admin_panel_probe\u0022, \u0022http_admin_panel_scan\u0022, \u0022http_probe_joomla\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":308},{"id":8450933,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46578,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/language\/en-GB\/en-GB.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00225d77db8f57d6365bde54bc9c97e5d83b5074eac5\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 279, \u0022payload_entropy\u0022: 5.427849932821815, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a74ffb95ba511311a069e942408f4165a6831da3\u0022, \u0022event_fingerprint\u0022: \u0022278e5328bf9c5cbc1265905b6148be3c2b64aeb6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002252b641b5cd5f9c6f1a0ba8d4957c3d24\u0022, \u0022payload_hash\u0022: \u002242c12a917501eae7ba41ed282f95efea\u0022, \u0022path_pattern_hash\u0022: \u002299879359e0ccef25e57e05c0e6f11487\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAc\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f0275e47e0e9d8826d44f224b1169a51eaa1e90d\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":10,"bytes_in":279},{"id":8450934,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37616,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/plugins\/system\/debug\/debug.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00228f949e3e92a6442150d2ad03376ac68619676d64\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u002272342f75eb3d267db2b9e94ef476febfa2c522cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 287, \u0022payload_entropy\u0022: 5.3760787387700155, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a2444edec96b7413c0d38fa1f7025d9e8539ba0a\u0022, \u0022event_fingerprint\u0022: \u00228526e3d6005d9002e7ee755821cd3161991d35c8\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00225d235e329a4ccabef6c796a3246460b0\u0022, \u0022payload_hash\u0022: \u0022c9de5b5acae4c0ce8d5774811e7c4bb2\u0022, \u0022path_pattern_hash\u0022: \u00225827499d7e8d83e6835edd2eb5f2a61b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002224a03254da572babe6875c7d110f52d1874b18c8\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":287},{"id":8450935,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34660,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/images\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u0022c3e02c33e4e599b13776537fef445a739c5bf5a1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.4655833714725715, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022453498e87e825cecea3232558f84c7576c449cac\u0022, \u0022event_fingerprint\u0022: \u00222ee3781ffe1da68f5efab84a7f93bcaf11fbcda0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022ca7c5021e44812c8ae14f06574b139f8\u0022, \u0022path_pattern_hash\u0022: \u0022ebfc9cc147746028ca30139889e0c240\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227d15008ce3caa64373adc15110fa941a9794a4f8\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450936,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32834,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/htaccess.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u0022047fc0056fed61b21a978f7b64cfed6da1000f90\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022bcac0ded0564d5a60b4bf8080877283a3eb8cb0f\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 215, \u0022payload_entropy\u0022: 5.273755688385092, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d3eb8cda349d616807a1b4984eb3302b1e0ff1f\u0022, \u0022event_fingerprint\u0022: \u002222909c2c358f2deb431b10ca3140d39e9c06ae94\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022557b4340179414b169baa7e616709ff3\u0022, \u0022payload_hash\u0022: \u00221b083be330c762ed492eb958139cde5d\u0022, \u0022path_pattern_hash\u0022: \u0022c9998214e9f1a3c7de61d98ecf85df84\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/htaccess.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/htaccess.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b16a77c8c4b98eca784024618e75c94b5d0a84f8\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_elasticsearch_probe\u0022], \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_elasticsearch_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":215},{"id":8450937,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46592,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/modules\/custom.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002261a68d8ae82bc8425114abf48390d06cae6524df\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022632ece66dfb5ec5e21273c3861983a2ba62f07b7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 228, \u0022payload_entropy\u0022: 5.317416746952136, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a63c14f5d607c99cde4cdd85c390346bf140f696\u0022, \u0022event_fingerprint\u0022: \u002235100c2441e29e152293dcc09ea06a1e75ba8365\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221846ec21f37e27db5dcc081ead338b2b\u0022, \u0022payload_hash\u0022: \u002209ac954af5a37d211947505daa48968b\u0022, \u0022path_pattern_hash\u0022: \u0022f5ab2d5346f34e0a620fba1ef488dca0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002208089c0276350110713d0c7e3e889f839e33703c\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":9,"bytes_in":228},{"id":8450938,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37626,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/README.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u00224f57cc881a53cebe5d10cc98311e08065ac92bb0\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022ab9489e2835a4c90f6af65db2a350e9fbed45704\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 230, \u0022payload_entropy\u0022: 5.278215988304177, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d85d4d5e5280806e0f57eab59329e6d9e70a988\u0022, \u0022event_fingerprint\u0022: \u002205f93509cd89f423f489f5d361732b1daff6fda6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002264bac746a47771f6b253e04214bfea07\u0022, \u0022payload_hash\u0022: \u0022c69f62589f4eb74291e248d102a21e99\u0022, \u0022path_pattern_hash\u0022: \u0022f1da2ac495442188b42e61002c12ea20\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002244837644830772f0d9713624e3f32126d8c93d50\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 11, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":230},{"id":8450939,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":50760,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 257, \u0022payload_entropy\u0022: 5.315592102305811, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225b5314220e6da4ce39ef6e7f61493f18\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10 (KHTML, like Gecko) Version\/10.1 Safari\/603.1.10\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10 (KHTML, like Gecko) Version\/10.1 Safari\/603.1.10\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a25c7d2109b337918bc2d8603b6a2b67b19043e4\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":257},{"id":8450940,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34668,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/assets\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u00229deb03ee93b5c35fc64945fba2497110debf3fc9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.467263723894979, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002250601b5c70bbc389ae18935f6682f7ab095602d7\u0022, \u0022event_fingerprint\u0022: \u002208a4f4e8ba38d704bbc160a55f6607398a7c5e03\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022258137661b34dd30b041a7a67b240f10\u0022, \u0022path_pattern_hash\u0022: \u002269c03841151170259bac878d0fbd4b66\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c0ce68dafbdec5b53131653bd1560468e4943b7a\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450941,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32836,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/joomla.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022e3a32f55b71ae8a498448110322cd43ae763cf10\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022b5d12a1bd786a4e8ded40b52d9812a90023251c0\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 269, \u0022payload_entropy\u0022: 5.36048934453257, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c5e582e8728e324f8ed7a74f6610a26ef4dfd814\u0022, \u0022event_fingerprint\u0022: \u0022fabc916c3149f4bdd1efc118f03dd97135660681\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00221a2ba31a31774016978b8347c1d40962\u0022, \u0022payload_hash\u0022: \u0022d0aa538a0955db10f8364440a0eda84c\u0022, \u0022path_pattern_hash\u0022: \u002237b7494e384a970799b9ec3c4b123d60\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encod\u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/joomla.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/joomla.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encod\u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227c874a04d5041626d73e827aaa94e411019707d1\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":269},{"id":8450942,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46600,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/plugins\/system\/debug\/debug.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022d38e7e5db0ab51bdb1d82bfbf6dfdd83ae4f5400\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u002272342f75eb3d267db2b9e94ef476febfa2c522cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 273, \u0022payload_entropy\u0022: 5.381856787756209, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 53, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ddc3942d3f9669a85a224881e69cec3dd7955864\u0022, \u0022event_fingerprint\u0022: \u0022a04271c344099ac513136544dc16640071ee29e7\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022matched_patterns\u0022: [\u0022pat-0324\u0022], \u0022matched_pattern_names\u0022: [\u0022SSRF Any-address SSRF\u0022], \u0022pattern_ids\u0022: [\u0022pat-0324\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 53, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220fe300705f782d2c1f493cb803abe942\u0022, \u0022payload_hash\u0022: \u002222e2b75901c72f23bb9b5dc69da3edc7\u0022, \u0022path_pattern_hash\u0022: \u00225827499d7e8d83e6835edd2eb5f2a61b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 53}, \u0022payload_preview\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-E\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002212f2935cb937574ca787de32934039d444506146\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":273},{"id":8450943,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37640,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 379, \u0022payload_entropy\u0022: 5.480986029549481, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 47, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a2479d55de5f7a2941ae9adde7c733926bfcfb6b\u0022, \u0022event_fingerprint\u0022: \u00225eb8b5865ef3a41227bedc4c1732805f36079deb\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 47, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022a8cd502fd0b5521d5113b693c7e6a537\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 47}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229c8f8ce9e9c4388b29aecf1c43bf66186ad540cf\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":379},{"id":8450944,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":50776,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.345571082563361, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 49, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221797796c690c3170e6bcd4d2c61c6adc1d312487\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 49, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f7922035e5dad20c3f73e201c11f72c6\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 49}, \u0022payload_preview\u0022: \u0022GET \/joomla\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6\u0022, \u0022request_sample\u0022: \u0022GET \/joomla\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.0 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/joomla\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.0 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/joomla\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022330d132b793b45737ae8f40ff8646cf9e792e665\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264},{"id":8450945,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":34676,"dst_port":9000,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022319f037be689d5d969fab30b05e5a76c4f957c34\u0022, \u0022http_target_hash\u0022: \u0022fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.4741249241288354, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9000, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022de7429818ef61fbf569b412423f4860010301c48\u0022, \u0022event_fingerprint\u0022: \u0022d0a51c7f68e75089d1f1f94bc6a2a81489c7d86c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022f9f8f76100b7b7f22e1c4282aed23757\u0022, \u0022path_pattern_hash\u0022: \u002253177baa3eea1f41ac064a836a2fa9b0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9000, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9000\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b27114b9385c86b7cb0daf1e77acced456a0d2b\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9000","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":383},{"id":8450946,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32842,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":27,"waf_tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/language\/en-GB\/en-GB.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 3, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u002289d412a9f31adf24199f408caf29ecfea7a041dc\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 266, \u0022payload_entropy\u0022: 5.393992441929785, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022caa7a4e11a32367c4b42fa3e8322444d6d0580b4\u0022, \u0022event_fingerprint\u0022: \u002229d334ded8b5b342b8f9d6f812a41cf17d9cad19\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u002287ed9e8d39c6e9cc0360c54beb04f156\u0022, \u0022payload_hash\u0022: \u0022d98871f365eb1718f4107c5156753a5a\u0022, \u0022path_pattern_hash\u0022: \u002299879359e0ccef25e57e05c0e6f11487\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/language\/en-GB\/en-GB.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding\u0022, \u0022payload_snippet\u0022: \u0022GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d2c9594fa1cfb217a75f50140862fe196052977a\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36","http_referer":null,"tags":"[\u0022950316:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":10,"bytes_in":266},{"id":8450947,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46608,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":6,"waf_tags":"[\u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/README.txt","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022txt\u0022, \u0022http_ua_hash\u0022: \u00220073d6782eb0bbe804a461c5fff2be28c2db1107\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022ab9489e2835a4c90f6af65db2a350e9fbed45704\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 267, \u0022payload_entropy\u0022: 5.354445731086917, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 32.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 42, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b0628f4bfd6792b82ca19b8444197237c1158dfa\u0022, \u0022event_fingerprint\u0022: \u00227c77daca293d83d500816aaed9bf51f5e5ded1ef\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 32.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 42, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022bdb2d93cd8efdfa47fc1bfcadd8135f9\u0022, \u0022payload_hash\u0022: \u0022497e9239a769e88721614bddcfee223d\u0022, \u0022path_pattern_hash\u0022: \u0022f1da2ac495442188b42e61002c12ea20\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 42}, \u0022payload_preview\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encodin\u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/README.txt\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/README.txt HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encodin\u0022, \u0022payload_snippet\u0022: \u0022GET \/README.txt HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi\u0022, \u0022classification_reason\u0022: \u0022Tags WAF: nosqli-3 \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002299bfad8e0cb2e81fd5ec17d87e00bbdc9a274e57\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":267},{"id":8450948,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37644,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/images\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022c3e02c33e4e599b13776537fef445a739c5bf5a1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.472136026946615, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022715977348344914687ffb3703f919ed2ca6c5b73\u0022, \u0022event_fingerprint\u0022: \u0022c235c53d75a994670e6f33be7939a59cd792ff8a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u00227823906dfa2137b0782d9235f83ea689\u0022, \u0022path_pattern_hash\u0022: \u0022ebfc9cc147746028ca30139889e0c240\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002286f603ffc4e4830da35b247dc635d03a0dd265f6\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450949,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":50790,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 215, \u0022payload_entropy\u0022: 5.279605273977641, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229f6b0420b9eb131217ffa91d20600329bbbfb575\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022ES admin GET\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022450208103c85d2a296a530370161e627\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/4.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/4.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/ HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002244f1c94541ef3c0f26b708101447983aa6cc77fe\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":215},{"id":8450950,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32846,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/modules\/custom.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u0022f69c504bcf536d3a13acbd93ecbb187977854f22\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u0022632ece66dfb5ec5e21273c3861983a2ba62f07b7\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 275, \u0022payload_entropy\u0022: 5.45632467666, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 40.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022343d86788912adb29cecdb55f9194dedef9b3420\u0022, \u0022event_fingerprint\u0022: \u00222110d0d9e8e9fa5a1c9657dfe1c48ca702c07819\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 40.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d10745557f37492a4072c2c18fd476a0\u0022, \u0022payload_hash\u0022: \u00227bd57b01fef48d03e33ea3b1d069bfd1\u0022, \u0022path_pattern_hash\u0022: \u0022f5ab2d5346f34e0a620fba1ef488dca0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/modules\/custom.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept\u0022, \u0022payload_snippet\u0022: \u0022GET \/modules\/custom.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022897e4c7e084953278a915573e6b512199af382ef\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":275},{"id":8450951,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46614,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":13,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 379, \u0022payload_entropy\u0022: 5.476738957057563, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 60.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 44, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002212c6bf30c819300b659d1424d4cbd3a5a87c2824\u0022, \u0022event_fingerprint\u0022: \u0022544dc0fe00c4319033ac194aa454357b3d8491ac\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 60.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 44, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u00222b3ad1077ba46ddc2c0616c160844d2c\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 44}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml,app\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022eca0d7c461d4ab2a02f4a79c46da500ddd2de738\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":7,"bytes_in":379},{"id":8450952,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37660,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/assets\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u00229deb03ee93b5c35fc64945fba2497110debf3fc9\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.473816379369022, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022628b4fe0761503599a5380d7ca6d1fd897b41b57\u0022, \u0022event_fingerprint\u0022: \u00223a714df34619336a873b4f81534ca2149c15cb7d\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022507b2a3ea75ea47fe08a0ef721740a4b\u0022, \u0022path_pattern_hash\u0022: \u002269c03841151170259bac878d0fbd4b66\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/assets\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/assets\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e881968ccbbae115f102cd6f336e44797e1cfe82\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_probe_assets\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450953,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":50800,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 288, \u0022payload_entropy\u0022: 5.413589222251362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229f6b0420b9eb131217ffa91d20600329bbbfb575\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022ES admin GET\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00229705c4250ee584e9f595ec7bca7a3f45\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Languag\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Languag\u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ba6d8cda1531c4a6540472d02d524abc2577ab28\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":288},{"id":8450954,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":32862,"dst_port":9200,"service":"elasticsearch","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/plugins\/system\/debug\/debug.xml","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c\u0022, \u0022emulator_response_len\u0022: 172, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 4, \u0022http_path_ext\u0022: \u0022xml\u0022, \u0022http_ua_hash\u0022: \u00224a1ec4432565701a873ea9c071435e548aa28a86\u0022, \u0022http_host_hash\u0022: \u0022ed2de66492dda3548e78c5a14cea344abaddd118\u0022, \u0022http_target_hash\u0022: \u002272342f75eb3d267db2b9e94ef476febfa2c522cb\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 289, \u0022payload_entropy\u0022: 5.348301845036422, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022app_proto\u0022: \u0022elasticsearch\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9200, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 50.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022595c2068da5c2fdf800cf250f9523ca4067913ad\u0022, \u0022event_fingerprint\u0022: \u00221973b96716d3b4a0b3da50e811dc89625773a617\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 171, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 50.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d24f15f109daba5836bb62e8900206b6\u0022, \u0022payload_hash\u0022: \u00228532cbca19bafcd646d84be6735ddd73\u0022, \u0022path_pattern_hash\u0022: \u00225827499d7e8d83e6835edd2eb5f2a61b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9200, \u0022service\u0022: \u0022elasticsearch\u0022, \u0022service_name\u0022: \u0022elasticsearch\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Langua\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/plugins\/system\/debug\/debug.xml\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Langua\u0022, \u0022payload_snippet\u0022: \u0022GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9200\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X\u0022, \u0022classification_reason\u0022: \u0022Sonde fichier sensible \/ config \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a4359dce981fc726b4ee0b4f7715cde5c3aa16e4\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022elasticsearch\u0022, \u0022service_banner\u0022: \u0022Elasticsearch 8.11\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229200\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9200","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022http_sensitive_path\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":289},{"id":8450955,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":46622,"dst_port":9090,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/images\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b\u0022, \u0022emulator_response_len\u0022: 146, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022e862b30a39ca6c6e44401c5388b26fc59bec543c\u0022, \u0022http_target_hash\u0022: \u0022c3e02c33e4e599b13776537fef445a739c5bf5a1\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 386, \u0022payload_entropy\u0022: 5.4679659739040325, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9090, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002213e8fb57e883517660546c2e8899f440a60eb584\u0022, \u0022event_fingerprint\u0022: \u0022d095527634dc7fa9c696299748902af14e00eb7b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022d90e663e7dd4a13dfae2997332de56b3\u0022, \u0022path_pattern_hash\u0022: \u0022ebfc9cc147746028ca30139889e0c240\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/images\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+\u0022, \u0022payload_snippet\u0022: \u0022GET \/images\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9090\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022453538f6e1ffb21a51a953e500a27865cc4aac43\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9090","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":386},{"id":8450956,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":37670,"dst_port":9080,"service":"http","classification":"port_scan_syn","waf_score":19,"waf_tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/web\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 6, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 2, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022009708ab8b415efb3877101f8f03a9c41d918a5b\u0022, \u0022http_host_hash\u0022: \u0022166182c7e9b509a6489d1c8594764559cde7560a\u0022, \u0022http_target_hash\u0022: \u0022fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 383, \u0022payload_entropy\u0022: 5.480728905885966, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 84.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022715977348344914687ffb3703f919ed2ca6c5b73\u0022, \u0022event_fingerprint\u0022: \u00229be9704477919700bf68569e6bf597045fd0c00f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 226, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022, \u0022INT-waf-score\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 84.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u00220e0a16705ffce731cc88304d238f489d\u0022, \u0022payload_hash\u0022: \u0022139fbe8a1303c287b2786711620b18db\u0022, \u0022path_pattern_hash\u0022: \u002253177baa3eea1f41ac064a836a2fa9b0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/web\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\u0022, \u0022waf_tags\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022rce-0\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\\r\\nConnection: close\\r\\nAccept: text\/html,application\/xhtml+xml\u0022, \u0022payload_snippet\u0022: \u0022GET \/web\/favicon.ico HTTP\/1.1\\r\\nHost: www.blacklistip.com:9080\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239ebfb77455c58735d53c5dd5ee529ec3891898c\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"www.blacklistip.com:9080","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36","http_referer":null,"tags":"[\u0022950326:rce-0\u0022, \u0022950468:nosqli-3\u0022, \u0022950470:nosqli-3\u0022, \u0022net_port_scan_fast\u0022]","anomalies":"[]","severity":9,"bytes_in":383},{"id":8450957,"ip":"209.99.187.19","ts":"2026-06-07 07:11:36.000000","proto":"tcp","src_port":50802,"dst_port":9443,"service":"https","classification":"port_scan_syn","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 264, \u0022payload_entropy\u0022: 5.253956204257235, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 402253, \u0022country\u0022: \u0022CH\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 64.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 20, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229f6b0420b9eb131217ffa91d20600329bbbfb575\u0022, \u0022event_fingerprint\u0022: \u002266de93e93356302b7cdade60cabf69b7305865e4\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 196, \u0022precision_signals\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022MITRE-T1046\u0022, \u0022SIGMA-net-port-scan\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022ES admin GET\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0341\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 64.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50, \u0022correlation_boost\u0022: 6}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022CH\u0022, \u0022asn\u0022: 402253, \u0022org\u0022: \u0022SKN Subnet \u0026 Telecom Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224a5a66f1b838c974de5e4e873c82c32f\u0022, \u0022path_pattern_hash\u0022: \u00226a708bf69e8680803ad7dadb39e2e4d9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko\/20100101 Firefox\/141.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko\/20100101 Firefox\/141.0\\r\\nConnection: close\\r\\nAccept: *\/*\\r\\nAccept-Language: en\\r\\nAccept-Encoding: \u0022, \u0022payload_snippet\u0022: \u0022GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\\r\\nHost: www.blacklistip.com:9443\\r\\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022recon\u0022, \u0022mitre_tactics\u0022: [\u0022TA0043\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022165cf46e0fe77d8c5d894c7dd17f5652b201b10d\u0022, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022port_scan_campaign\u0022: true, \u0022port_scan_distinct_ports\u0022: 12, \u0022port_scan_ports_sample\u0022: [7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443], \u0022behavior_alerts\u0022: [\u0022port_scan_campaign\u0022], \u0022correlation_confidence_boost\u0022: 6, \u0022attack_chain_stage\u0022: \u0022recon\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022http_get_probe\u0022, \u0022mozi_pattern\u0022, \u0022net_port_scan_fast\u0022, \u0022tor_exit_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":7,"bytes_in":264}],"total_events":1833}