Renseignement sur les menaces

Suisse

209.99.187.19

FAI SKN Subnet & Telecom Ltd Première vue 07/06/2026 00:44 UTC Dernière vue 07/06/2026 07:11 UTC Risque Moyen

Période analysée : 2026-06-01 → 2026-06-08

risque 49/100 — MITRE T1046

Base IP Signaler JSON CSV STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Moyen · Risque max (7j) Moyen

Synthèse exécutive

Profil de menace

Score de risque 63/100 Moyen

Première observation 07/06/2026 00:44 UTC

Dernière observation 07/06/2026 07:11 UTC

Événements (période) 1,833

MITRE ATT&CK principal T1046

risque 49/100 — MITRE T1046

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_scan_syn » (signaux protocolaires) · confiance 100%

Comparaison ASN / FAI

ASN 402253 · 209.99.184.0/21 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 1,833 événements sur la période pour cette IP.

209.99.187.52 Sonde port 08/06/2026 19:36 UTC
209.99.185.59 Sonde port 08/06/2026 19:35 UTC
209.99.190.113 Sonde SSH 08/06/2026 16:22 UTC
209.99.187.91 Sonde port 1723/TCP 07/06/2026 22:52 UTC
209.99.188.147 Sonde port 07/06/2026 06:26 UTC
209.99.191.9 Scan de ports 06/06/2026 15:26 UTC
209.99.189.177 Sonde SSH 26/05/2026 21:16 UTC
209.99.184.233 telnet attack 24/05/2026 05:42 UTC

Événements (filtres)

1,833

Première observation

07/06/2026 00:44 UTC

Dernière observation

07/06/2026 07:11 UTC

Dernière activité (filtres)

07/06/2026 07:11 UTC

Événements 7j

1,833

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 1,207 HTTPS TCP 304 SAP ICM TCP 152 ELASTICSEARCH TCP 152 MONGODB TCP 7 MONGODB CONFIG TCP 2 MONGODB HTTP TCP 2 MONGODB SHARD TCP 2 PROMETHEUS TCP 1 INFLUXDB TCP 1 WEBLOGIC SSL TCP 1 WEBSPHERE TCP 1 HTTP ALT 8880 TCP 1

HTTP

1,207

HTTPS

304

SAP ICM

152

ELASTICSEARCH

152

MONGODB

MONGODB CONFIG

Géolocalisation

Origine réseau déclarée

Suisse unknown unknown

FAI / réseau

Opérateur et dernière activité ban

SKN Subnet & Telecom Ltd 0 Port 9443 port_scan_syn

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

recon

Aperçu payload

GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple

Port / service

9443 · HTTPS

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Campagne ports

Recommandation

Surveiller

Confiance

100%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

1,833 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

1833 événement(s) — page 1/37

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 07:11:37 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 379, "payload_entropy": 5.481054186670756, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0284", "pat-0600" ], "matched_pattern_names": [ "CRS 941130", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0284", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "386f471694968a1eb37c266cfe0c4a79", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d312b06b93b433a6e6f455230d274b9b9be913be", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:37 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 386, "payload_entropy": 5.472202948057918, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0284", "pat-0600" ], "matched_pattern_names": [ "CRS 941130", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0284", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e9b3d32abef6e79ac94f29580e72ddc0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94781feec5f3b7ab04aac02ef2024f0f951e4e10", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:37 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 386, "payload_entropy": 5.473883300480325, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0284", "pat-0600" ], "matched_pattern_names": [ "CRS 941130", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0284", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "69be8396b32a17279097403cb9ac8238", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed62b4f2df4c8e6d26e8a1135196cc16cd56c816", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:37 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 383, "payload_entropy": 5.480796351183519, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0284", "pat-0600" ], "matched_pattern_names": [ "CRS 941130", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0284", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1ae3ee3cf4d1eee85519189bad7888e8", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "422e1cccc93686a3942317dc4d166098d55dd966", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 59
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Li Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "005fbc4ab2183bf8c673b2b7f188c6fdd4f12456", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 256, "payload_entropy": 5.3079964899439815, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 59, "tag_count": 8, "anomaly_count": 0, "campaign_key": "9d3bbaf70c4db3acf7da4913d653e259f9097a9b", "event_fingerprint": "05e3f1cd9d4dc4d2ecf11a2130c3d7f3ad82ea77", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 59, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9ecc9d68a61060f6a2a899b3febeb5c0", "payload_hash": "8db2808250ceb447bd1d43c2c4957baf", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 59 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko\/20100101 Firefox\/88.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f0a6b542dc2d06a9a9b4ce78c95ca9179e1bc6a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	8443 · HTTPS	https	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_web_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 User-Agent — Règles WAF — Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 383, "payload_entropy": 5.484047297653067, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2aa17a6b515596b20eaea8d57184d62da9f48dfc", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "78969a4fc8cb4448ed66026df506b654", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 47 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "241fad9585a80038a66f3db3f750c9a8f8376b7b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "b60f0f42926189e1662b708aac1092d571b08770", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 232, "payload_entropy": 5.280663350949261, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2d85d4d5e5280806e0f57eab59329e6d9e70a988", "event_fingerprint": "a4b53130cf7d44f1c573119f6506366edf1ac6bb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f70a1b69413fe829e75eadc70a7d31d3", "payload_hash": "75d7f7e9aa0ab248f0879360a94ac94b", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko\/20100101 Firefox\/138.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Geck", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4732e55d5845785d6948142e899735ed0d6350f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:36 UTC	TCP	8880 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8880 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8880 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "6f2c22ac9e61885d82ed7f07dd56e4791b76cc36", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.484889814615556, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8880, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ad6b48964cd522362f5790c3a77e9bbdeb9db0d3", "event_fingerprint": "829b521cd3c544ace34bee577fe8850ffdd17058", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "e05551c0b888fb7e3dfbd4bccbd2ed9e", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 8880, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8880\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "033be94c41cbb090aed8364fc942b48f7c3d4f86", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (Debian; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Debian; Linux i686) AppleWebKit/537.3 Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Debian; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "d10c4e2d0485f9e62d840eb53cca0e91d2300e06", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 260, "payload_entropy": 5.3565178242282325, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "453498e87e825cecea3232558f84c7576c449cac", "event_fingerprint": "45df7cfe6aebbd94ff708990e3be8b31a6f76501", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b1797610bb39e36244960d837e64af4c", "payload_hash": "bb36aac2d529b1b96ae67a48b4aeb833", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/136.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Debian; Linux i686) AppleWebKit\/537.3", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "743a9d7e6473e4dc29eb4813cc58a54b1877dc8e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTP alt 8888 probe Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.477643014042659, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "95202f00d3c52e73eca91eebd49f9d9b7131d601", "event_fingerprint": "c971772eb86a5edc9b6474f94d44849cb2d388c9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284", "pat-0599" ], "matched_pattern_names": [ "CRS 941130", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0284", "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "c2a05464c9fd8ca8a66f1a11778617d8", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e9c2c5c667e49d60f9456ab852da625bc29e579f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/ TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /administrator/ Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/ HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.4 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Fire Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.4 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": "61e23039032a4a3004d8a088aa650990e4cbd032", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "0f6d04d0a59f96b6ba5c15c3721804e572006f43", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 217, "payload_entropy": 5.292584049194737, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "927f1d095b9c94fcbcba50cba0ce935ed980e155", "event_fingerprint": "07d987571b26264661b71594d51b842d485cda3f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2a75f30ce091d80f378659d94b0b224e", "payload_hash": "f14d73936460f6affa2796fa2a1f8da1", "path_pattern_hash": "cb8cd75c08bc9ba0c944ce837c38c33b" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 56 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire", "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire", "evidence": { "method": "GET", "path": "\/administrator\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/ HTTP\/1.1", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.4\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d230846e709dbd9436ebecadf3ee7e163d3cd07a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_elasticsearch_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Li Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "ac4a2d9624ae9d15d2981a9c471de439e583e1be", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 258, "payload_entropy": 5.311892831448649, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 7, "anomaly_count": 0, "campaign_key": "73c2020b4746f1012c480e790b5712ac9c72761d", "event_fingerprint": "782b66b4dee4bb6664eff9e901b22cad8afa3e0c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "96b2d25b409cae88dc3740a307615a2e", "payload_hash": "d5d2e3cb00729533a7de805ce58abd88", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/113.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Ubuntu; Li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d089256542e8013906dc497d1fb132c386ac6f1", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537. Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c8270b9b8142897881f4b1fc833d72674a8d2ada", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.425617903590705, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2d85d4d5e5280806e0f57eab59329e6d9e70a988", "event_fingerprint": "deadcd64c7fe2af7d77476482ebaa6122ba1d9d7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f04de0dc23d510d00054f809c14d1a7c", "payload_hash": "2b6ad6213040359e6627a3ee381f82a6", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/79.0.3945.79 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "696437ecee1527ebd8443c401bd3ed4bffe7b4dd", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 43
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 12 Recommandation Surveiller Tags 950468:nosqli-3 950470:nosqli-3 http_sensitive_path net_web_probe Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15 Règles WAF nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15 Connection: close Accept: / Accept-Language Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "55c10e202d2cc830c6fad83ee818b598f6862443", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 287, "payload_entropy": 5.3402480108949195, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 56, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 56, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d98952e55e4ee4391cf0f735d31b1e44de4bbae9", "event_fingerprint": "23158d7e17170f84bfcdb9e52aec5f27a1fc3b18", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 56, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 43, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0a0d4a14746a311ad7eac155020e41aa", "payload_hash": "ac18233efb7a05a3fb143727c33f1722", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15", "waf_tags": [ "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.5 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "061635635c9ee3e16df97c2ab857d52718b8cc49", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTP alt 8888 probe Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.479323366465066, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "3eb82effec4fd68bb5741ddc17991a74ad0a173f", "event_fingerprint": "45aead2819b9897c79d424e6ce8a74a1badf2805", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284", "pat-0599" ], "matched_pattern_names": [ "CRS 941130", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0284", "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "b54662bc4a1f3dacefeb655b43f9b136", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2f17932fdd5d5400944a5efee4000d9b7f7f558b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 84 }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/help/en-GB/toc.json TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /administrator/help/en-GB/toc.json Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/help/en-GB/toc.json HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/3.6.15 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1. Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/3.6.15 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "json", "http_ua_hash": "1f4dbecf47188503e6908ec06829f6dd7a781c4e", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "617481da6f5867560cd2fdf70cb848ef7749246d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.293309789848276, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "6015fbc4f081b36082f311f163f79ec1a839c2bd", "event_fingerprint": "9139a98aa1c341643ac8af91b46b2cad85689fb1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a7d2f0a22e771a26d02125cd443a890b", "payload_hash": "6b4bab17fccee2698579c3dd46e9104e", "path_pattern_hash": "ffc23282dc35670d41d8f4e8dae550a1" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 62 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.", "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.", "evidence": { "method": "GET", "path": "\/administrator\/help\/en-GB\/toc.json", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/3.6.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4e265df3b9e6a5a137221ce1dedfc035a5f825c1", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_elasticsearch_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko/20100101 Firefox/134.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "47ea7c9dd9500081c965a8730f01d7cf6bd9a93a", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.2380856769783755, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1f8759a0e0560315629a38b5e9d59ae4cf9944cf", "event_fingerprint": "a8c4a86ace2b8d0cda2fac04c97cedecd5f9c7da", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8e90eeb938998c9e6282d9d26c571010", "payload_hash": "e5fd3a7487060dd779f9a0d251906921", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) ", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0)", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0) Gecko\/20100101 Firefox\/134.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:134.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "416ff95eb7f07d046fb1cc2d90daee8745ecee9b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 61
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13 Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "6520f92909030fedc2988f94867842355245f954", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 283, "payload_entropy": 5.362277545253494, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "be5b28f43d32d2b79fe89f9c1fa69e946815f9cc", "event_fingerprint": "9c704e3591c4866cda12a9728a9f223f59282088", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 61, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "60b020b82d036bb802d8f15e5e7fa429", "payload_hash": "a41f4cce23866ad427569561c135a066", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 61 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7a965a053575b6b7522b90251905ff61a84075f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/6 Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "965ff8e2242872badfc916d53e953e9421712f2e", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 264, "payload_entropy": 5.341336259351414, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9c5d7559adb354e2d91efec1e4141f730ae1871f", "event_fingerprint": "1a80ff19830eb1aa2d129bd3d9abcd9526506df0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9d60aea58f73e41216ec1d195ee03b6a", "payload_hash": "d1fa8b0eb289e778c903b842c6819a11", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.6 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit\/6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "467ba95affaa50b9a14d6962dd72aab09b8129c7", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	8888 · HTTP	http	Scan de ports	Élevée	Moyen · 54
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 HTTP alt 8888 probe Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:8888 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "b22a9d6496fdf8cd57a772fe70fa6b428c1a78bb", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.486279028651169, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 8888, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "95202f00d3c52e73eca91eebd49f9d9b7131d601", "event_fingerprint": "323f93d77f93e3da37317f005e5cda72897e2315", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284", "pat-0599" ], "matched_pattern_names": [ "CRS 941130", "HTTP alt 8888 probe" ], "pattern_ids": [ "pat-0284", "pat-0599" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "71e3ba179f4c4c427c9798d79db62911", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:8888\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94ad3200b50b6546b7037791b690c0f6417a4e8a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 62
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /administrator/language/en-GB/install.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /administrator/language/en-GB/install.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/language/en-GB/install.xml HTTP/1.1` User-Agent Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (ZZ; Linux x86_6 Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (ZZ; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en A Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "2aadc66e2d0d6b19b5c1dc0949c6a4c50bef3ccd", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "374e3f21b83ce39520690c8e734b70b1147798ba", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 280, "payload_entropy": 5.4145192685239865, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.6, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 62, "tag_count": 8, "anomaly_count": 0, "campaign_key": "6015fbc4f081b36082f311f163f79ec1a839c2bd", "event_fingerprint": "e9bfe9884989619c61e5dbde583eeac8e0aff76d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 62, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "26f16ed5ec807682bc28ec6b76672236", "payload_hash": "da285868351f80f351d808f844daa7b1", "path_pattern_hash": "99d77b392b5126ef091af0d5186e18e0" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 62 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6", "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nA", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6", "evidence": { "method": "GET", "path": "\/administrator\/language\/en-GB\/install.xml", "user_agent": "Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nA", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (ZZ; Linux x86_6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44aec872d6460ac0bfe6ec45e2cf6e3d573fac87", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_elasticsearch_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/6.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/ Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko/ Firefox/6.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "8339b4acdf577e2b24cab540d8a972c8d1e7b4a6", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 211, "payload_entropy": 5.271250677479469, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1f8759a0e0560315629a38b5e9d59ae4cf9944cf", "event_fingerprint": "582a6cb1b4f1e6bba14685816c567b585d6f8d77", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c4bf3fb97070dc3c9a96fcad289b2eda", "payload_hash": "15a15dd4b0f3a3e699bd3548d9789144", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/6.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.5.20) Gecko\/ Firefox\/", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fead26eb95da5f0fd533308a50f5a1d7cd8004b4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "83e599b94f7817a451a1792c6fb4264c84f03f8f", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 236, "payload_entropy": 5.274994248737962, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5fea04cc985cce942f1ed846fb59e77df424e101", "event_fingerprint": "86949080eb83b51bf85013c8ac83da73943eaf7c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6ead205f397a7e3c8afaeabd9dade729", "payload_hash": "7f27bde6e1a333d9325c7c2162e3872b", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101 Firefox\/91.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0)", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c7fe739e7cc2df54e0a1cee9dc8046ca2cfbdfe6", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.4743123487764445, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "9c5d7559adb354e2d91efec1e4141f730ae1871f", "event_fingerprint": "4651a329b01f2679f1a7bc8c4046bc99b1bd4e8a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "408f6a31275a17a3c915c6554c34b447", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0ef512dbc9944ebe2cd446c085b3a2ad36066dbd", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_admin_panel_probe Cible HTTP GET /administrator/manifests/files/joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /administrator/manifests/files/joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ET Joomla admin ES admin GET Probe /administrator/ ActiveMQ console Ligne de requête `GET /administrator/manifests/files/joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Inte Requête brute (extrait) GET /administrator/manifests/files/joomla.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1 Connection: close Accept: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "2aaad91811e4d48f8e2af76c4257f29d8895c9e5", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "c6fb3f903fa16273b39114aec8b3d25d6a09b2eb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 308, "payload_entropy": 5.349515194072036, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 56, "tag_count": 7, "anomaly_count": 0, "campaign_key": "927f1d095b9c94fcbcba50cba0ce935ed980e155", "event_fingerprint": "9e5edd369d314f45b23a5dd7fb490ad5df0c88a0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "matched_pattern_names": [ "ET Joomla admin", "ES admin GET", "Probe \/administrator\/", "ActiveMQ console" ], "pattern_ids": [ "pat-0853", "pat-0341", "pat-0238", "pat-0606" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "e83d69b141a15ce2b755f6bc9aec8730", "payload_hash": "ce8380e42496e49af1e7a61c6f194dc9", "path_pattern_hash": "c4f3d5811d6d989618ffc547885c6936" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 56 }, "payload_preview": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept:", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "evidence": { "method": "GET", "path": "\/administrator\/manifests\/files\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1", "request_sample": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1\r\nConnection: close\r\nAccept:", "payload_snippet": "GET \/administrator\/manifests\/files\/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f394d7f6c54843f2b61f6b9159d1e362d68fa43e", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_admin_panel_probe", "http_admin_panel_scan", "http_probe_joomla", "net_elasticsearch_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 58
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ap Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Connection: close Accept: / Accept-Language: en Ac Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "5d77db8f57d6365bde54bc9c97e5d83b5074eac5", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 279, "payload_entropy": 5.427849932821815, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 58, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a74ffb95ba511311a069e942408f4165a6831da3", "event_fingerprint": "278e5328bf9c5cbc1265905b6148be3c2b64aeb6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 58, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "52b641b5cd5f9c6f1a0ba8d4957c3d24", "payload_hash": "42c12a917501eae7ba41ed282f95efea", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 58 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAc", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAc", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f0275e47e0e9d8826d44f224b1169a51eaa1e90d", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15 Connection: close Accept: / Accept-Language Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "8f949e3e92a6442150d2ad03376ac68619676d64", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 287, "payload_entropy": 5.3760787387700155, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a2444edec96b7413c0d38fa1f7025d9e8539ba0a", "event_fingerprint": "8526e3d6005d9002e7ee755821cd3161991d35c8", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5d235e329a4ccabef6c796a3246460b0", "payload_hash": "c9de5b5acae4c0ce8d5774811e7c4bb2", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/17.2 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "24a03254da572babe6875c7d110f52d1874b18c8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.4655833714725715, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "453498e87e825cecea3232558f84c7576c449cac", "event_fingerprint": "2ee3781ffe1da68f5efab84a7f93bcaf11fbcda0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "ca7c5021e44812c8ae14f06574b139f8", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7d15008ce3caa64373adc15110fa941a9794a4f8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_elasticsearch_probe Cible HTTP GET /htaccess.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /htaccess.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /htaccess.txt HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.9 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefo Requête brute (extrait) GET /htaccess.txt HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.9 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "047fc0056fed61b21a978f7b64cfed6da1000f90", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "bcac0ded0564d5a60b4bf8080877283a3eb8cb0f", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 215, "payload_entropy": 5.273755688385092, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2d3eb8cda349d616807a1b4984eb3302b1e0ff1f", "event_fingerprint": "22909c2c358f2deb431b10ca3140d39e9c06ae94", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "557b4340179414b169baa7e616709ff3", "payload_hash": "1b083be330c762ed492eb958139cde5d", "path_pattern_hash": "c9998214e9f1a3c7de61d98ecf85df84" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 47 }, "payload_preview": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo", "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo", "evidence": { "method": "GET", "path": "\/htaccess.txt", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/htaccess.txt HTTP\/1.1", "request_sample": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefox\/3.6.9\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/htaccess.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko\/ Firefo", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b16a77c8c4b98eca784024618e75c94b5d0a84f8", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_elasticsearch_probe" ], "behavior_alert_count": 2, "behavior_priority": 72 }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_web_probe Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20 Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:135.0) Gecko/20100101 Firefox/135.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "61a68d8ae82bc8425114abf48390d06cae6524df", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.317416746952136, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a63c14f5d607c99cde4cdd85c390346bf140f696", "event_fingerprint": "35100c2441e29e152293dcc09ea06a1e75ba8365", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1846ec21f37e27db5dcc081ead338b2b", "payload_hash": "09ac954af5a37d211947505daa48968b", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20100101 Firefox\/135.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:135.0) Gecko\/20", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "08089c0276350110713d0c7e3e889f839e33703c", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_web_probe Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /README.txt Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/ Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "4f57cc881a53cebe5d10cc98311e08065ac92bb0", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 230, "payload_entropy": 5.278215988304177, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2d85d4d5e5280806e0f57eab59329e6d9e70a988", "event_fingerprint": "05f93509cd89f423f489f5d361732b1daff6fda6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "64bac746a47771f6b253e04214bfea07", "payload_hash": "c69f62589f4eb74291e248d102a21e99", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/20100101 Firefox\/101.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko\/", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44837644830772f0d9713624e3f32126d8c93d50", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 11, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_web_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/603.1.10 Requête brute (extrait) GET / HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/603.1.10 (KHTML, like Gecko) Version/10.1 Safari/603.1.10 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 257, "payload_entropy": 5.315592102305811, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5b5314220e6da4ce39ef6e7f61493f18", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10", "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10 (KHTML, like Gecko) Version\/10.1 Safari\/603.1.10\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10 (KHTML, like Gecko) Version\/10.1 Safari\/603.1.10\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit\/603.1.10", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a25c7d2109b337918bc2d8603b6a2b67b19043e4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.467263723894979, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "50601b5c70bbc389ae18935f6682f7ab095602d7", "event_fingerprint": "08a4f4e8ba38d704bbc160a55f6607398a7c5e03", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "258137661b34dd30b041a7a67b240f10", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c0ce68dafbdec5b53131653bd1560468e4943b7a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /joomla.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /joomla.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /joomla.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi Requête brute (extrait) GET /joomla.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encod Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "e3a32f55b71ae8a498448110322cd43ae763cf10", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "b5d12a1bd786a4e8ded40b52d9812a90023251c0", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 269, "payload_entropy": 5.36048934453257, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c5e582e8728e324f8ed7a74f6610a26ef4dfd814", "event_fingerprint": "fabc916c3149f4bdd1efc118f03dd97135660681", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "1a2ba31a31774016978b8347c1d40962", "payload_hash": "d0aa538a0955db10f8364440a0eda84c", "path_pattern_hash": "37b7494e384a970799b9ec3c4b123d60" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 47 }, "payload_preview": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "evidence": { "method": "GET", "path": "\/joomla.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/joomla.xml HTTP\/1.1", "request_sample": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.0.4 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encod", "payload_snippet": "GET \/joomla.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKi", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7c874a04d5041626d73e827aaa94e411019707d1", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 53
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) SSRF Any-address SSRF Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) Appl Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-E Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "d38e7e5db0ab51bdb1d82bfbf6dfdd83ae4f5400", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 273, "payload_entropy": 5.381856787756209, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ddc3942d3f9669a85a224881e69cec3dd7955864", "event_fingerprint": "a04271c344099ac513136544dc16640071ee29e7", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "matched_patterns": [ "pat-0324" ], "matched_pattern_names": [ "SSRF Any-address SSRF" ], "pattern_ids": [ "pat-0324" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 53, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0fe300705f782d2c1f493cb803abe942", "payload_hash": "22e2b75901c72f23bb9b5dc69da3edc7", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-E", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-E", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Knoppix; Linux i686) Appl", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "12f2935cb937574ca787de32934039d444506146", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 47
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.480986029549481, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "a2479d55de5f7a2941ae9adde7c733926bfcfb6b", "event_fingerprint": "5eb8b5865ef3a41227bedc4c1732805f36079deb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 47, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "a8cd502fd0b5521d5113b693c7e6a537", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9c8f8ce9e9c4388b29aecf1c43bf66186ad540cf", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 49
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Surveiller Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/6 Requête brute (extrait) GET /joomla/ HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 264, "payload_entropy": 5.345571082563361, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 49, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1797796c690c3170e6bcd4d2c61c6adc1d312487", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 49, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f7922035e5dad20c3f73e201c11f72c6", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 49 }, "payload_preview": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6", "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.0 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6", "evidence": { "request_sample": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.0 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/joomla\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/6", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "330d132b793b45737ae8f40ff8646cf9e792e665", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9000 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9000 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "319f037be689d5d969fab30b05e5a76c4f957c34", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.4741249241288354, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9000, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "de7429818ef61fbf569b412423f4860010301c48", "event_fingerprint": "d0a51c7f68e75089d1f1f94bc6a2a81489c7d86c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "f9f8f76100b7b7f22e1c4282aed23757", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 9000, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1b27114b9385c86b7cb0daf1e77acced456a0d2b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 61
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 27 Recommandation Investiguer Tags 950316:lfi-14 950326:rce-0 950468:nosqli-3 950470:nosqli-3 Cible HTTP GET /language/en-GB/en-GB.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /language/en-GB/en-GB.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /language/en-GB/en-GB.xml HTTP/1.1` User-Agent Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Règles WAF lfi-14 rce-0 nosqli-3 Payload (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit Requête brute (extrait) GET /language/en-GB/en-GB.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (CentOS; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept-Encoding Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 3, "http_path_ext": "xml", "http_ua_hash": "89d412a9f31adf24199f408caf29ecfea7a041dc", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "f6e3ce41a1739f6e53ae9c792dd8feb5eae9a9a7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 266, "payload_entropy": 5.393992441929785, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25 }, "risk_score": 61, "tag_count": 5, "anomaly_count": 0, "campaign_key": "caa7a4e11a32367c4b42fa3e8322444d6d0580b4", "event_fingerprint": "29d334ded8b5b342b8f9d6f812a41cf17d9cad19", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 25, "risk_score": 61, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "87ed9e8d39c6e9cc0360c54beb04f156", "payload_hash": "d98871f365eb1718f4107c5156753a5a", "path_pattern_hash": "99879359e0ccef25e57e05c0e6f11487" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 61 }, "payload_preview": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit", "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit", "evidence": { "method": "GET", "path": "\/language\/en-GB\/en-GB.xml", "user_agent": "Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36", "waf_tags": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3" ], "request_line": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1", "request_sample": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/139.0.0.0 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding", "payload_snippet": "GET \/language\/en-GB\/en-GB.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (CentOS; Linux i686) AppleWebKit", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2c9594fa1cfb217a75f50140862fe196052977a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950316:lfi-14", "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 42
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 6 Recommandation Surveiller Tags 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /README.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /README.txt Pourquoi cette classification : Tags WAF: nosqli-3 · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /README.txt HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15 Règles WAF nosqli-3 Payload (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi Requête brute (extrait) GET /README.txt HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15 Connection: close Accept: / Accept-Language: en Accept-Encodin Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "0073d6782eb0bbe804a461c5fff2be28c2db1107", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "ab9489e2835a4c90f6af65db2a350e9fbed45704", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 267, "payload_entropy": 5.354445731086917, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 32, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "b0628f4bfd6792b82ca19b8444197237c1158dfa", "event_fingerprint": "7c77daca293d83d500816aaed9bf51f5e5ded1ef", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "confidence_breakdown": { "waf": 32, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 42, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bdb2d93cd8efdfa47fc1bfcadd8135f9", "payload_hash": "497e9239a769e88721614bddcfee223d", "path_pattern_hash": "f1da2ac495442188b42e61002c12ea20" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "evidence": { "method": "GET", "path": "\/README.txt", "user_agent": "Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15", "waf_tags": [ "950470:nosqli-3" ], "waf_rule_names": [ "nosqli-3" ], "request_line": "GET \/README.txt HTTP\/1.1", "request_sample": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/18.0 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encodin", "payload_snippet": "GET \/README.txt HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh, Intel Mac OS X 10_15_7) AppleWebKi", "classification_reason": "Tags WAF: nosqli-3 \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99bfad8e0cb2e81fd5ec17d87e00bbdc9a274e57", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.472136026946615, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "715977348344914687ffb3703f919ed2ca6c5b73", "event_fingerprint": "c235c53d75a994670e6f33be7939a59cd792ff8a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "7823906dfa2137b0782d9235f83ea689", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86f603ffc4e4830da35b247dc635d03a0dd265f6", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 50
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko/ Fire Requête brute (extrait) GET /administrator/ HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko/ Firefox/4.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 215, "payload_entropy": 5.279605273977641, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9f6b0420b9eb131217ffa91d20600329bbbfb575", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0341", "pat-0600" ], "matched_pattern_names": [ "ES admin GET", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0341", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 50, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "450208103c85d2a296a530370161e627", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire", "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/4.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire", "evidence": { "request_sample": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Firefox\/4.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/administrator\/ HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:1.9.6.20) Gecko\/ Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "44f1c94541ef3c0f26b708101447983aa6cc77fe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "tor_exit_probe", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /modules/custom.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /modules/custom.xml Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /modules/custom.xml HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/85.0.4183.127 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Requête brute (extrait) GET /modules/custom.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/85.0.4183.127 Safari/537.36 Connection: close Accept: / Accept-Language: en Accept Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "xml", "http_ua_hash": "f69c504bcf536d3a13acbd93ecbb187977854f22", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "632ece66dfb5ec5e21273c3861983a2ba62f07b7", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 275, "payload_entropy": 5.45632467666, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "343d86788912adb29cecdb55f9194dedef9b3420", "event_fingerprint": "2110d0d9e8e9fa5a1c9657dfe1c48ca702c07819", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 40, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d10745557f37492a4072c2c18fd476a0", "payload_hash": "7bd57b01fef48d03e33ea3b1d069bfd1", "path_pattern_hash": "f5ab2d5346f34e0a620fba1ef488dca0" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 55 }, "payload_preview": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36", "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36", "evidence": { "method": "GET", "path": "\/modules\/custom.xml", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/modules\/custom.xml HTTP\/1.1", "request_sample": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/85.0.4183.127 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept", "payload_snippet": "GET \/modules\/custom.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "897e4c7e084953278a915573e6b512199af382ef", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 44
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 13 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK Requête brute (extrait) GET /favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml,app Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 379, "payload_entropy": 5.476738957057563, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 60, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "12c6bf30c819300b659d1424d4cbd3a5a87c2824", "event_fingerprint": "544dc0fe00c4319033ac194aa454357b3d8491ac", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 60, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "2b3ad1077ba46ddc2c0616c160844d2c", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml,app", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebK", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eca0d7c461d4ab2a02f4a79c46da500ddd2de738", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_probe_assets Cible HTTP GET /assets/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /assets/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /assets/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /assets/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "9deb03ee93b5c35fc64945fba2497110debf3fc9", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.473816379369022, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "628b4fe0761503599a5380d7ca6d1fd897b41b57", "event_fingerprint": "3a714df34619336a873b4f81534ca2149c15cb7d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "507b2a3ea75ea47fe08a0ef721740a4b", "path_pattern_hash": "69c03841151170259bac878d0fbd4b66" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/assets\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/assets\/favicon.ico HTTP\/1.1", "request_sample": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/assets\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e881968ccbbae115f102cd6f336e44797e1cfe82", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_probe_assets", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 50
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64 Requête brute (extrait) GET /administrator/help/en-GB/toc.json HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Connection: close Accept: / Accept-Languag Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 288, "payload_entropy": 5.413589222251362, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9f6b0420b9eb131217ffa91d20600329bbbfb575", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0341", "pat-0600" ], "matched_pattern_names": [ "ES admin GET", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0341", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 50, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9705c4250ee584e9f595ec7bca7a3f45", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64", "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Languag", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64", "evidence": { "request_sample": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/92.0.4515.159 Safari\/537.36\r\nConnection: close\r\nAccept: \/\r\nAccept-Languag", "payload_snippet": "GET \/administrator\/help\/en-GB\/toc.json HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba6d8cda1531c4a6540472d02d524abc2577ab28", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "tor_exit_probe", "websphere_probe" ] }
07/06/2026 07:11:36 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports	Élevée	Moyen · 56
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 http_sensitive_path Cible HTTP GET /plugins/system/debug/debug.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible /plugins/system/debug/debug.xml Pourquoi cette classification : Sonde fichier sensible / config · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET /plugins/system/debug/debug.xml HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X Requête brute (extrait) GET /plugins/system/debug/debug.xml HTTP/1.1 Host: www.blacklistip.com:9200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15 Connection: close Accept: / Accept-Langua Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 4, "http_path_ext": "xml", "http_ua_hash": "4a1ec4432565701a873ea9c071435e548aa28a86", "http_host_hash": "ed2de66492dda3548e78c5a14cea344abaddd118", "http_target_hash": "72342f75eb3d267db2b9e94ef476febfa2c522cb", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.348301845036422, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 402253, "country": "CH", "dst_port": 9200, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 50, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "595c2068da5c2fdf800cf250f9523ca4067913ad", "event_fingerprint": "1973b96716d3b4a0b3da50e811dc89625773a617", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 171, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 50, "novelty": 25, "risk_score": 56, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d24f15f109daba5836bb62e8900206b6", "payload_hash": "8532cbca19bafcd646d84be6735ddd73", "path_pattern_hash": "5827499d7e8d83e6835edd2eb5f2a61b" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 56 }, "payload_preview": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Langua", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "evidence": { "method": "GET", "path": "\/plugins\/system\/debug\/debug.xml", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1", "request_sample": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/13.1.1 Safari\/605.1.15\r\nConnection: close\r\nAccept: \/\r\nAccept-Langua", "payload_snippet": "GET \/plugins\/system\/debug\/debug.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9200\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X", "classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a4359dce981fc726b4ee0b4f7715cde5c3aa16e4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "http_sensitive_path", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9090 · HTTP	http	Scan de ports	Élevée	Moyen · 52
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /images/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible /images/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /images/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap Requête brute (extrait) GET /images/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "e862b30a39ca6c6e44401c5388b26fc59bec543c", "http_target_hash": "c3e02c33e4e599b13776537fef445a739c5bf5a1", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 386, "payload_entropy": 5.4679659739040325, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9090, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "13e8fb57e883517660546c2e8899f440a60eb584", "event_fingerprint": "d095527634dc7fa9c696299748902af14e00eb7b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "d90e663e7dd4a13dfae2997332de56b3", "path_pattern_hash": "ebfc9cc147746028ca30139889e0c240" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "evidence": { "method": "GET", "path": "\/images\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/images\/favicon.ico HTTP\/1.1", "request_sample": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+", "payload_snippet": "GET \/images\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9090\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Ap", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "453538f6e1ffb21a51a953e500a27865cc4aac43", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9080 · HTTP	http	Scan de ports	Élevée	Moyen · 55
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF 19 Recommandation Investiguer Tags 950326:rce-0 950468:nosqli-3 950470:nosqli-3 net_port_scan_fast Cible HTTP GET /web/favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible /web/favicon.ico Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) CRS 941130 Ligne de requête `GET /web/favicon.ico HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Règles WAF rce-0 nosqli-3 Payload (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple Requête brute (extrait) GET /web/favicon.ico HTTP/1.1 Host: www.blacklistip.com:9080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Connection: close Accept: text/html,application/xhtml+xml Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053", "emulator_response_len": 147, "http_header_count": 6, "http_query_params": 0, "http_path_depth": 2, "http_path_ext": "ico", "http_ua_hash": "009708ab8b415efb3877101f8f03a9c41d918a5b", "http_host_hash": "166182c7e9b509a6489d1c8594764559cde7560a", "http_target_hash": "fbd790bdeb362b00d49b0fdb2cc8a77d3bcea549", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 383, "payload_entropy": 5.480728905885966, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "http", "app_proto": "http", "asn": 402253, "country": "CH", "dst_port": 9080, "risk_waf": 84, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "715977348344914687ffb3703f919ed2ca6c5b73", "event_fingerprint": "9be9704477919700bf68569e6bf597045fd0c00f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 226, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0284" ], "matched_pattern_names": [ "CRS 941130" ], "pattern_ids": [ "pat-0284" ], "confidence_breakdown": { "waf": 84, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0a16705ffce731cc88304d238f489d", "payload_hash": "139fbe8a1303c287b2786711620b18db", "path_pattern_hash": "53177baa3eea1f41ac064a836a2fa9b0" }, "target_context": { "dst_port": 9080, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "evidence": { "method": "GET", "path": "\/web\/favicon.ico", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3" ], "waf_rule_names": [ "rce-0", "nosqli-3" ], "request_line": "GET \/web\/favicon.ico HTTP\/1.1", "request_sample": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/91.0.4472.124 Safari\/537.36\r\nConnection: close\r\nAccept: text\/html,application\/xhtml+xml", "payload_snippet": "GET \/web\/favicon.ico HTTP\/1.1\r\nHost: www.blacklistip.com:9080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "39ebfb77455c58735d53c5dd5ee529ec3891898c", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950468:nosqli-3", "950470:nosqli-3", "net_port_scan_fast" ] }
07/06/2026 07:11:36 UTC	TCP	9443 · HTTPS	https	Scan de ports	Élevée	Moyen · 50
Étape Reconnaissance Corrélations Campagne ports MITRE T1046 TA0043 WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) ES admin GET HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Inte Requête brute (extrait) GET /administrator/language/en-GB/install.xml HTTP/1.1 Host: www.blacklistip.com:9443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0 Connection: close Accept: / Accept-Language: en Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 264, "payload_entropy": 5.253956204257235, "port_category": "registered", "org": "SKN Subnet & Telecom Ltd", "service": "https", "app_proto": "https", "asn": 402253, "country": "CH", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25 }, "risk_score": 50, "tag_count": 6, "anomaly_count": 0, "campaign_key": "9f6b0420b9eb131217ffa91d20600329bbbfb575", "event_fingerprint": "66de93e93356302b7cdade60cabf69b7305865e4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 196, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-upstream" ], "matched_patterns": [ "pat-0341", "pat-0600" ], "matched_pattern_names": [ "ES admin GET", "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0341", "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 25, "risk_score": 50, "correlation_boost": 6 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CH", "asn": 402253, "org": "SKN Subnet & Telecom Ltd", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4a5a66f1b838c974de5e4e873c82c32f", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 50 }, "payload_preview": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko\/20100101 Firefox\/141.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "evidence": { "request_sample": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko\/20100101 Firefox\/141.0\r\nConnection: close\r\nAccept: \/\r\nAccept-Language: en\r\nAccept-Encoding: ", "payload_snippet": "GET \/administrator\/language\/en-GB\/install.xml HTTP\/1.1\r\nHost: www.blacklistip.com:9443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Inte", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "165cf46e0fe77d8c5d894c7dd17f5652b201b10d", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 12, "port_scan_ports_sample": [ 7002, 8000, 8080, 8086, 8443, 8880, 8888, 9000, 9080, 9090, 9200, 9443 ], "behavior_alerts": [ "port_scan_campaign" ], "correlation_confidence_boost": 6, "attack_chain_stage": "recon", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_port_scan_fast", "tor_exit_probe", "websphere_probe" ] }

209.99.187.19

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence