Renseignement sur les menaces

Suisse

209.99.187.19

FAI SKN Subnet & Telecom Ltd Première vue 07/06/2026 00:44 UTC Dernière vue 07/06/2026 07:11 UTC Risque Moyen

Période analysée : 2026-05-09 → 2026-06-08

risque 49/100 — MITRE T1046

Base IP Signaler JSON CSV STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 63/100 Moyen

Première observation 07/06/2026 00:44 UTC

Dernière observation 07/06/2026 07:11 UTC

Événements (période) 1,833

MITRE ATT&CK principal T1046

risque 49/100 — MITRE T1046

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Comparaison ASN / FAI

ASN 402253 · 209.99.184.0/21 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 1,833 événements sur la période pour cette IP.

209.99.187.52 Sonde port 08/06/2026 19:43 UTC
209.99.185.59 Sonde port 08/06/2026 19:43 UTC
209.99.190.113 Sonde SSH 08/06/2026 16:22 UTC
209.99.187.91 Sonde port 1723/TCP 07/06/2026 22:52 UTC
209.99.188.147 Sonde port 07/06/2026 06:26 UTC
209.99.191.9 Scan de ports 06/06/2026 15:26 UTC
209.99.189.177 Sonde SSH 26/05/2026 21:16 UTC
209.99.184.233 telnet attack 24/05/2026 05:42 UTC

Événements (filtres)

1,833

Première observation

07/06/2026 00:44 UTC

Dernière observation

07/06/2026 07:11 UTC

Dernière activité (filtres)

07/06/2026 07:11 UTC

Événements 7j

1,833

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 1,207 HTTPS TCP 304 SAP ICM TCP 152 ELASTICSEARCH TCP 152 MONGODB TCP 7 MONGODB HTTP TCP 2 MONGODB SHARD TCP 2 MONGODB CONFIG TCP 2 WEBSPHERE TCP 1 HTTP ALT 8880 TCP 1 PROMETHEUS TCP 1 INFLUXDB TCP 1 WEBLOGIC SSL TCP 1

HTTP

1,207

HTTPS

304

SAP ICM

152

ELASTICSEARCH

152

MONGODB

MONGODB HTTP

Géolocalisation

Origine réseau déclarée

Suisse unknown unknown

FAI / réseau

Opérateur et dernière activité ban

SKN Subnet & Telecom Ltd 0 Port 9443 port_scan_syn

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

recon

Aperçu payload

GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple

Port / service

9443 · HTTPS

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne ports

Recommandation

Surveiller

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

1,833 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

1833 événement(s) — page 3/37

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/129.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 236, "payload_entropy": 5.2622784987773015, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b2deb88d710756caace987ff77b1255f", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) ", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko\/20100101 Firefox\/129.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)", "evidence": { "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko\/20100101 Firefox\/129.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd7b74cd77ea6bea854f28730360f0aac06dd0c6", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.473406039888774, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "67cc3e6e5ffec4cdeddfd9def40fc9035293880e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "d06bd073ee2709dc9e270f9e5e09d8f0", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "79f56701b88fe160fbc4281f01f80a76ebc6f9f2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 45
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.8 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Fire Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.8 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "fe7fb6c34ca2836438b24e584c3a1c1a310eabc3", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.294055818508813, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3ac09fdfe4b202ead7286124b3d1936b52a9e85e", "event_fingerprint": "b01fea722662896ba89b6589546a9a0c0d0416c2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1c28d4a85dae1d4d25766d9c95d60c7d", "payload_hash": "d0b38c20f0c673698c0fb411287fc851", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Fire", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.8\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Fire", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.8", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.8\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1da3533880299ccf6c37ca74d6d3e43d83992ba6", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 7, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible / Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "9acbcd67848e063b1c434f0c02ad1d7e1dba487d", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.28979195186512, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 48, "tag_count": 4, "anomaly_count": 0, "campaign_key": "24421d541809f378a94f055f49aae747dc5c0c97", "event_fingerprint": "0c0dd7ea17d508d534a97210ab73e65299d4331d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b02ba977fabd2018072f2251f3837bc7", "payload_hash": "d87d31921540decab46ed873e8f6b1af", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ddef24dfdcd0c10778ad9f91214c70e62d8b5787", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8000 · SAP ICM	sap-icm	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_get_probe mozi_pattern net_sap_web_probe sap_icm_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 383, "payload_entropy": 5.477375870598383, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "sap-icm", "app_proto": "sap-icm", "asn": 402253, "country": "CH", "dst_port": 8000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f4d3bfae803bd07fc62331c16ac15c5323341684", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "837babdb8aa41154d3b0ce977d0e5cd6", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 47 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "720f852a450853e345ea17e7fd01998f7437861a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "mozi_pattern", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console HTTP alt 8888 probe Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/604.1 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Inte Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/604.1 Connection: close Accept: / Accept-Lang Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "dcd805daef97c9c8f62fe4badbdef4a91be15f76", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 291, "payload_entropy": 5.322720239286298, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "fb376f98f5956eb4e53250f8876febe29766bee8", "event_fingerprint": "6d0ee72cdfb0962f057fe0b360ad2958682d156d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1fc365b132e6582a22e72751e4f06d62", "payload_hash": "83b9ed26ae1009a286ee57b24428de58", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Lang", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Lang", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9dd9610ae862a01362069ba9d5278c3bc3bdd410", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "2c1d7eb48b0183fde95cf009c07a3c24f4b76d6f", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.397557109598558, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d6e8359ccb7c973da6d8340bb8480f23bbbc9f0f", "event_fingerprint": "d97aabfdb68c59d548692c2255095c444cc0f30d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d6516895b066b2b4053a3c6ba2864c8c", "payload_hash": "fe81897320bb6a0735a2cb04433e8319", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae7ecab98f284cef7cf954710de3fa9465adf176", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encodi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 268, "payload_entropy": 5.3575076464115154, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "af7c2f2c5b92357fc273ada6f063657c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodi", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "evidence": { "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.4.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodi", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "51773f086a71b1d120728e45efdf3c44e967e16b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.47508639231118, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "eec11d5e271f76228645add2cb087f1ab213dc78", "event_fingerprint": "100298b90220fb04697a868aae4019e427a495cb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "3e911c57f793b9b0b8ae5545e5bc062f", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e39c103f175eaccbb4aca995290df6e20106d01", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 45
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/2 Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "b0ef80ca3c5c35efb568f502bb55c13e5b9e1868", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.283741358316026, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3ac09fdfe4b202ead7286124b3d1936b52a9e85e", "event_fingerprint": "53b5b60ade6a4e9050c7369b09bb58ba5927a778", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3cf0b6a82b24ff09934286639ff2d763", "payload_hash": "f49dab6c4e90bcbd92577c9000da7fc3", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/2", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/2", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/20100101 Firefox\/84.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko\/2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e0f59f3a9be7c5b06979310dab26051f47a60f32", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_joomla Cible HTTP GET /joomla/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /joomla/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla/ HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.18 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebK Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.18 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "acbd9878a69106a3d738bdcd213073287566b65f", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "23653b39d3e34e9d6a111f32099d797b974403f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 265, "payload_entropy": 5.351578572431412, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "e4eb29997fe15cbfdf9074c1b28f7af57bff336a", "event_fingerprint": "879171316e61364ae1aadda52962fcebf303f547", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3f26c142cb137584b2ab0c02ad94deb2", "payload_hash": "4962ab01eeba7e826241282388683b91", "path_pattern_hash": "d9cc85416b877e65f034d906e5cba1fd" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebK", "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebK", "evidence": { "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebKit\/525.18 (KHTML, like Gecko) Version\/3.1.1 Safari\/525.18\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding:", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; U; PPC Mac OS X 10_5_2; en) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0bb704bbe7b561c4baecf9082bc5b88decc6b663", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console HTTP alt 8888 probe Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Inte Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Mobile/15E148 Safari/604.1 Connection: close Accept: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "0cbb1d7888f3aff3cea8ac0d3b67e3105dbcfb56", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 308, "payload_entropy": 5.3257903804553495, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "6ef011c3e2ab7d78a3a1e2daf851e6791fbf1a50", "event_fingerprint": "c4003514aa445ee6e9870af3546a5b3478db8dc9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606", "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "460c62e14cf0120c5abe549a756b83c4", "payload_hash": "0694c31acf0a32ccdb2d5cd649f3ef1e", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.5 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.5 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept:", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.5 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/15.5 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept:", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "85ba6418c06be575305fde46b60b6c5fb7a95863", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Connection: close Accept: / Accept-Language: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "53c3b66807f57547ba58d7aa5094513a708f87e1", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 285, "payload_entropy": 5.446590923234189, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7b9b35c018c486b02737b03e4c4925d8bd948645", "event_fingerprint": "68a8e2373ef064a4594b7cc2f4be15dbd2269bcb", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3be77bffe74d8175dc91167a86876d03", "payload_hash": "c5d953506da37897942692d7ca60bd23", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.107 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.107 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: ", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.107 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.107 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: ", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2cc972e0e8999615be1c4de53639ab0ad8c6c0c8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) G Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/3.6.6 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 227, "payload_entropy": 5.306766301778052, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "44ca2a904f62712b663aa174f845f82c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) G", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.6\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) G", "evidence": { "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.6\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) G", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dd082542f528a28a5461da57c55f4aca8061c7f9", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8080 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "3f64adb032f282a9da2d7027e8579434fd94567f", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.482008866710178, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f24aa19b861b9f57d88ee4561751cd3e6d0a2752", "event_fingerprint": "ce6e6b5cd0f2c787d88a3e4f9786d75497e87c8c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "a245edfccd33fbacbe366776db550ea3", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "62dc4b609b4db1c48979f40daa4d80fdf5297850", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 59
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Mobile/15E148 Safari/604.1 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15 Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Mobile/15E148 Safari/604.1 Connection: close Accept: / Accept-Lan Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "ecabc29f5545e96db4e9b7012fbaa0c969066998", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 292, "payload_entropy": 5.362786871866849, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 59, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0b149e0d123038584166b117481b0b43d586828d", "event_fingerprint": "47a717b8583a9c9f105a9732b8bed63bea882777", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 59, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "45dcea3f97adb2a7908e290c512cd7e7", "payload_hash": "7de1851b5d90c4200a337dabea9a446e", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.6 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.6 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Lan", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.6 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.6 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Lan", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d77a9bdf1f7528b05e78cc00cb0c2cebe3578c5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /administrator/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (K Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "87361dee088334626a9a5dd30f40e57b08d1b8a0", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.365157332574161, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 54, "tag_count": 7, "anomaly_count": 0, "campaign_key": "33ffeceb12d15e5f378b115e1323ad3382d49a40", "event_fingerprint": "4dd4d1a9a0dbad8e64d61f0a4f4bc89d8ae714db", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "50f403bfd8de15120bfccefe91d8e152", "payload_hash": "772aa57b52cfd674d92f8b211328d6ff", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (K", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (K", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/134.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (K", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "787cb7cfffaba72c38722fc730d4b10b55937232", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 46
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWeb Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encod Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "47db699aeada663f4f84f36b2659a2e399673928", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.36274872966011, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f299807267cb9484ee40e7a8b2b4128d05fd8f59", "event_fingerprint": "de4523623af8733fef57eea3c2952ddd13670c40", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2ffbadfc736d4f562cc7b84eea8a5cd4", "payload_hash": "3163198c83ce1473d3ff3824dcbabb62", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWeb", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWeb", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWeb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9689e2ab1f34eb5e0d96fb9e1c9476a0dab4cd57", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (Ubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Ubuntu; Linux i686) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Ubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "de5553cd4fbc6564edaf385ece5023e5a85c7d5d", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.395939866019308, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ba7297ebbb265fdc848910cda0d09ed0eb083486", "event_fingerprint": "f3bfa9128cfb0ab730a6e1e1cc80d1e154e1bb1b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1e3f4052aaf0ef85279846cbbb474363", "payload_hash": "c3b92fc85ca09f22fa274249b51ad006", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Ubuntu; Linux i686) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c602333be90c35f5f8fe8f0199af488a796d2392", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 8, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 51
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible / Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Ge Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "47e0c85bac24373c46084869a39113d4de9ba402", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 243, "payload_entropy": 5.343873516101414, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 51, "tag_count": 4, "anomaly_count": 0, "campaign_key": "95dc1ce73c53e724d832306cbf7a85a6cf593aef", "event_fingerprint": "522acf0ca6f082b9c40b3657c8a4819fa96590c5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 51, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "55e538734052120fad2cb85fc7cd536f", "payload_hash": "983b00deb1ca3febb12949eb79e07a8f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 51 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Ge", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Ge", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f034d8fd3aa5731c27e3e9519ea6af1d60b6fae8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.10 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accep Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 276, "payload_entropy": 5.361960879054958, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0a14958c4acb281b3dcde1bed3f38e84", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.10 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccep", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.10 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccep", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "14b6aff3769f7b58b225fa4a1f8e8041dee4f7d5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/5 Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encodin Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "8bbd779f5203dcf429a0d555cf806706a52f1a52", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.4190508929864425, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ad6b48964cd522362f5790c3a77e9bbdeb9db0d3", "event_fingerprint": "0c33c9dbd52cd874d5447db8b7517a270f1a49ee", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "300dbec170057b1fca17392c68d0acd7", "payload_hash": "06f2b0f0e718119eaba1984568733b20", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/5", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.75 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/5", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.75 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.75 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/5", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f961f91917582776332df2cafc739222be0f96d4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.4.21 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac O Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.4.21 Connection: close Accept: / Accept-Langu Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "2ccd8f68e09df61859893d59c5180c5157c97827", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 290, "payload_entropy": 5.34044125804995, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0a8761053f2e6be69b898023403cc4ef90bcd781", "event_fingerprint": "020b0ddf3ab7bc5de405d87f8f48780ea3b211cf", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "358836e2edb3e1845f16d5a7164041f0", "payload_hash": "18918c414e598a1ed139c95513cc4290", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0 Safari\/605.4.21", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0 Safari\/605.4.21\r\nConnection: close\r\nAccept: \/\r\nAccept-Langu", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0 Safari\/605.4.21", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.0 Safari\/605.4.21\r\nConnection: close\r\nAccept: \/\r\nAccept-Langu", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac O", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84342e2d7e2550cc72ebf61763109d0b162f01fd", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 46
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko/20100101 Firefox/78.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gec Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko/20100101 Firefox/78.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "5db03e7d0e33d6cfba9108835e3379a2143eafa5", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.259758436696721, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "f299807267cb9484ee40e7a8b2b4128d05fd8f59", "event_fingerprint": "9823adc4a493b5211aa12c255a3e8dc13055eb06", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 46, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "29ac2baa0944c314390b1d29ad0ee4d8", "payload_hash": "f569eaedc06f51d8c1b22a942389fd0c", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gec", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gec", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gecko\/20100101 Firefox\/78.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.10; rv:78.0) Gec", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7aefa4225293ed6755db067902d13ad73a35e844", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.4864843225286535, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ba7297ebbb265fdc848910cda0d09ed0eb083486", "event_fingerprint": "0a3b3cc641a8b90ecec36bb3250aab9a0543f072", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "17f7f8935f278ed8872e9728a9818fdd", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0b9ec2787059ff9ac58b30bbb59a25e85c98c879", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/537.86.4 Connection: close Accept: / Accept-Language: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 286, "payload_entropy": 5.415819947819679, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "468589941edeea200df3fc06ed309d06", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/601.4.4 (KHTML, like Gecko) Version\/9.0.3 Safari\/537.86.4\r\nConnection: close\r\nAccept: \/\r\nAccept-Language:", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit\/601.4.4 (KHTML, like Gecko) Version\/9.0.3 Safari\/537.86.4\r\nConnection: close\r\nAccept: \/\r\nAccept-Language:", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1bcb45301022201fb585e8b67c91693dcba932e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_joomla Cible HTTP GET /joomla/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /joomla/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla/ HTTP/1.1` User-Agent Mozilla/5.0 (Kubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Kubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Kubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "1a9573ec123aab50b17f190d99a452c708773fa6", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "23653b39d3e34e9d6a111f32099d797b974403f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.414533843204863, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "4ae2a220f39b2964e0b7f6509aff519d3794276e", "event_fingerprint": "40bebc30f4d8389bf95c50547e5fad21829330dc", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "65748a700a0d983603e9bcdd430740d8", "payload_hash": "17d240dd5a6af6264f627dc795a1e3eb", "path_pattern_hash": "d9cc85416b877e65f034d906e5cba1fd" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Kubuntu; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7eb250cef71f6535deccc74e58bbdf2ed286857a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleW Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Enc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "315e0b8afb1b1d0f02bb3e598ac9524a5db04ed7", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.425347684659609, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 54, "tag_count": 5, "anomaly_count": 0, "campaign_key": "6143de84e2d6b56b716702567a26d64703050336", "event_fingerprint": "2321475c44660ef1b8091a6c7dc288e03ca35827", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e2a49354a444c05baec9fb54690a5cee", "payload_hash": "3d1142c3d3aa08f0aacdc16ec5e6a15f", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleW", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/117.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/117.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleW", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/117.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/117.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleW", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68346f8ba2a3722b7898bcb96450666728201716", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Windows NT 6.2; Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "ec08a445f153be58256e9999ae1a56d8976f87ee", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 259, "payload_entropy": 5.267121031962192, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 60, "tag_count": 8, "anomaly_count": 0, "campaign_key": "0a8761053f2e6be69b898023403cc4ef90bcd781", "event_fingerprint": "4c159dd94d94b1b903676483e8021f89e3edc8c1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3ccc09d65174738e3a800f1ac9a73d7b", "payload_hash": "2a011199b2d2a4c3343c415940a41e98", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2;", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2;", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2;", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cfd9ef54f6221639012878f7a618bbcb31d15d17", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 60
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.6.11 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko/ Firefox/3.6.11 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "0b10fcd9ca5dde548cc9e172de5235108a8f2e5b", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.313499494202293, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 60, "tag_count": 5, "anomaly_count": 0, "campaign_key": "17856ce90ec39579862ca02c00742d90789d74f5", "event_fingerprint": "ddfd597ca0b69c55e16ffeccaf6d6f522f2e5e8f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 60, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2fa8bd2648ccc6d425a5a54f58158171", "payload_hash": "7884b615080436715325076fe9c671b9", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 60 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20)", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.11", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.11\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20)", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.11", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20) Gecko\/ Firefox\/3.6.11\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:1.9.6.20)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "594d303c3cf620a2c80c521a0f1fbe30f39989e0", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.4775346099494815, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d6e8359ccb7c973da6d8340bb8480f23bbbc9f0f", "event_fingerprint": "012dabddaa171d71d1cdf4f81925599ebef72255", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "053fcb1bb99129325249f4ed33e77b2f", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "632462c3db9700bc2ef8452513a28d3bf36741b0", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 9, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 48
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible / Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140 Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "2e4d1f104d6b9be982605b1b282e6effbdcb0fa0", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 210, "payload_entropy": 5.266401372591018, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 48, "tag_count": 4, "anomaly_count": 0, "campaign_key": "33b9986310f627411be5954a50b21c0dd18be6cd", "event_fingerprint": "21d478b01b65a92acaf01fb8e864bf215ffb4b49", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 48, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d47a8c1ff637e2ddc98c00ec97e41717", "payload_hash": "bf494a19c872319bbc1a4273ed61cb22", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 48 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:140.0) Gecko\/20100101 Firefox\/140", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e247884b36c40f15fecddb7dad6adb0057b773a8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/6 Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/604.1 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzi Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.376164961651651, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0991ecf95d2752a4ca4b2aeb7ceb5f4b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "evidence": { "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.5 Safari\/604.1\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzi", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2b82adc874e67df09dd675815be049a1ded28db2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 57
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /administrator/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleW Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Enc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "91f6398dda8330a6cb12726f50991afcb7f73fcf", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 271, "payload_entropy": 5.362992260700723, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 57, "tag_count": 7, "anomaly_count": 0, "campaign_key": "e4a36d2ef900e9bcbd77356936daf86d142d1c5e", "event_fingerprint": "39bfa878235f9524097e485faf5f05b3f722d50d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 57, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3561e625c2036e8a1eeab34217d7286b", "payload_hash": "3c759433bc8b2b11d1ec23f08b47d8e7", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleW", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleW", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Enc", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleW", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f920d4f93a76e5cd60f394235581121ebee017f9", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 45
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.3 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.3 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encod Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "2fa10962315293ce3275a530a6ed1b2e3137e09f", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.369580318413144, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3ac09fdfe4b202ead7286124b3d1936b52a9e85e", "event_fingerprint": "c829b3e1e5f967569249d650c61dc0a27158141c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "79ff2d82e50f3438c39ec1643175cd3c", "payload_hash": "5cbfad215d74fd0d711285b65393a330", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.3 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.3 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.3 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.3 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d7aeb4521a199583d741f8fdeba3571fa4e209f2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Windows NT 10.0 Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "0e93fa4e6fa7128e3ad4ebc516d37c89c5d44ad6", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.269034238348209, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 54, "tag_count": 7, "anomaly_count": 0, "campaign_key": "33ffeceb12d15e5f378b115e1323ad3382d49a40", "event_fingerprint": "e5205b5a340f946886269ef4be5b3d556c9ad33e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "222bb92af5102d5110f0e2e9fad99c71", "payload_hash": "bac35fd8940fb0120a7fc1d811ac6d5a", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko\/20100101 Firefox\/134.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko\/20100101 Firefox\/134.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko\/20100101 Firefox\/134.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko\/20100101 Firefox\/134.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2159e5829215810bf11fb56bea39e34e7344c6e6", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gec Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "0e2654b89fa2587e4bfea2f66b49e971d29f782e", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.291384399103492, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "95202f00d3c52e73eca91eebd49f9d9b7131d601", "event_fingerprint": "fd1343e0aa56d4c2db63c301f345a285be969687", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2aa49388c4ba349f9ecf459b9d07c5f7", "payload_hash": "91146fe865097688316ac515e487df0b", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gec", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko\/20100101 Firefox\/24.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko\/20100101 Firefox\/24.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gec", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko\/20100101 Firefox\/24.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko\/20100101 Firefox\/24.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gec", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4151c9901b76cc9c03e96a7ef77e9163c08b42ae", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.479214962371889, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "510aedbf490aab5e0b93691ea50c0e141f6f8570", "event_fingerprint": "f3ad482879600837395f3bc27377b965d5fe7e75", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "dff24bdb96d18f422d9cc8c055e7048c", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e980add81e257ea88c1b7b26f9de57324301a27c", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_joomla Cible HTTP GET /joomla/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /joomla/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla/ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; rv:105.0) Gecko/20100101 Firefox/105.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:105.0) Gecko/20100101 Firefox Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:105.0) Gecko/20100101 Firefox/105.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "a88520c43a718135275f08e7f5690932a7a96717", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "23653b39d3e34e9d6a111f32099d797b974403f2", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 214, "payload_entropy": 5.212745760602593, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5cd0f1127f9517e343d78eb46af74f28f3b27483", "event_fingerprint": "71ed7edf55057e57fe05610f071b8afa33f8a935", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "97da508007be7a6eee28bd5b1a74eca7", "payload_hash": "0d6ef892d0f7a992add77dc2b54eb7e8", "path_pattern_hash": "d9cc85416b877e65f034d906e5cba1fd" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox", "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox\/105.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox\/105.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox", "evidence": { "method": "GET", "path": "\/joomla\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox\/105.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla\/ HTTP\/1.1", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox\/105.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:105.0) Gecko\/20100101 Firefox", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a80cafc4e4c7bd4ee4e90b7e73a98a7527988c63", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 379, "payload_entropy": 5.484339443920984, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2d04cda67e5c2d7d8ff2d35c49cf0e78", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42b355bd1cf89fe1aa874ac78e0c22b82c6e1fb9", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33. Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "12831f0d79add8407105fb2657c42b178852f398", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 238, "payload_entropy": 5.262227341990376, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "f9026dc64372d84de388021fd60d883b28094394", "event_fingerprint": "bf0524ccc68a4234c82c0dd00e31fb976a58298d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7ac598febffae5d4183dcc08be931b41", "payload_hash": "e045d9eedbf81fd2efe16c6a34c6b603", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:33.", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:33.0) Gecko\/20100101 Firefox\/33.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:33.0) Gecko\/20100101 Firefox\/33.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:33.", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:33.0) Gecko\/20100101 Firefox\/33.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:33.0) Gecko\/20100101 Firefox\/33.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:33.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e815e73d66fc07d3e1db00f6d194d2e8e4e0d8c2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 45
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.485190852883078, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "3ac09fdfe4b202ead7286124b3d1936b52a9e85e", "event_fingerprint": "22b180357aadd6621c83358db48bed7dd2e041d1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 45, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "f9ed56bf559c318490ec2e5860e08513", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 45 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1eacf1c6eb50a26f2aab6843fb468ea0723659f3", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "fb5d7900731ba7aff7233423d49abfdb73f16384", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.412295375595156, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9c5d7559adb354e2d91efec1e4141f730ae1871f", "event_fingerprint": "890a7e4938f20741b4d6cd43c38668535eeabb89", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "85ff988119bdcdce8a380162d3d38065", "payload_hash": "876c2988cfbabb85c5f1fd6639529586", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/142.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6ca21cfed128dc7e3db8a7d7f6076cb9cb38e59", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTP alt 8888 probe Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "27a26f24e37533aff43b993f891bc3a8847bca57", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.31163135838638, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "0f0c22d4db2c7da618ccd67d154fac749b03771a", "event_fingerprint": "9159533b914f2b896158abb2d0957695b78a571d", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0599" ], "matched_pattern_names": [ "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3060ce45a38029856f7cef44ab45999f", "payload_hash": "d8bb8c9b05319dd534db1e676d507da0", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko\/20100101 Firefox\/114.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "17c5d1750bde5a7707bcb4c4fda10e327fefb8b7", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8086 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8086 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8086 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a582d496e666c757864622d56657273696f6e3a20322e372e340d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2036370d0a0d0a7b226e616d65223a22686f6e6579706f742d696e666c7578222c226d6573", "emulator_response_len": 165, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6ab244efad12802dd83aef956fed419ab36d629f", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.486169775439769, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8086, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d6e8359ccb7c973da6d8340bb8480f23bbbc9f0f", "event_fingerprint": "8656f9fdd6f67c5e538218a35898076a75191387", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "a105fa46ee5bf72170509a15bffd2320", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 8086, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8086\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac1eac03ff0cda3322401e86892e287532d4ef7f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /administrator/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.5 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Ge Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.5 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "8e31267dd06c959e88ddef9baf4f36b36254b9d8", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.2472486530362765, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 7, "anomaly_count": 0, "campaign_key": "73c2020b4746f1012c480e790b5712ac9c72761d", "event_fingerprint": "fcba7731a0b24da78ee16b14775cc71254bbaa3d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e55bef19fde9b2c3992a9654c38770d4", "payload_hash": "dfc4561c884d090b6aa3a1cbc08fd630", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Ge", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko\/20100101 Firefox\/140.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko\/20100101 Firefox\/140.5\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Ge", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko\/20100101 Firefox\/140.5", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko\/20100101 Firefox\/140.5\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Ge", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "401bb3d521441023f45307670af60c5bb5227134", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 386, "payload_entropy": 5.475428628104127, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fca3b3ea6e7543d633a0462f2af223ad", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7edb7a6462ed42ae282d95a1d6f6d9b3eaddc2da", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:35 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (ZZ; Linux i686) Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (ZZ; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Acc Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "2e95f0790b4c0a7d8d35ae6a7c0c76e535b6d96a", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 278, "payload_entropy": 5.364188097448255, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 7.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "f9026dc64372d84de388021fd60d883b28094394", "event_fingerprint": "4ca46600a8d380ec54e24ccd9219e50eb8c0843b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8cecceca77723ee8cd4f9a701c56a340", "payload_hash": "b441d27e00fb2f1d7a66ab62ded99e3c", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAcc", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/135.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAcc", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux i686)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "372e9de7b8a32ce77ac4453033c841942bee71c4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.476264597007324, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ad6b48964cd522362f5790c3a77e9bbdeb9db0d3", "event_fingerprint": "deb0790cde0a6f2c76c86ba0cfaf43104b773b2b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "eac4914210b4877758602bd6178386f9", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c15435a57142d57d7fe0c22c004fbecb539ffacc", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:35 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encod Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "e5b662103d06a2696da233234843f73f92170400", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.3462320844447655, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9c5d7559adb354e2d91efec1e4141f730ae1871f", "event_fingerprint": "8315f1994ab58e0e60567e10eebcd9a1d49900f3", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ea16b0fdf0e4c1f1361934a0014351de", "payload_hash": "3794346af611ad005504cf615a0cec70", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/14.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKi", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "87a29467d535ecf4b64087199d60ace238f6fa17", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 10, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }

209.99.187.19

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence